Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Le55bnMCON.msi

Overview

General Information

Sample name:Le55bnMCON.msi
renamed because original name is a hash value
Original sample name:b8788ba7d7d7f8fce00f8446b778b9f9b9852e4ec2f3766d6e32c68b50950899.msi
Analysis ID:1552154
MD5:6e58d9af76a06f068fc49d0f5f895966
SHA1:6eaf5813536f716cab6ccdda47e8f0beaa74b30c
SHA256:b8788ba7d7d7f8fce00f8446b778b9f9b9852e4ec2f3766d6e32c68b50950899
Tags:msisigneduser-JAMESWT_MHT
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Enables network access during safeboot for specific services
Installs Task Scheduler Managed Wrapper
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6816 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Le55bnMCON.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6912 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7096 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CAAC4898E5F21B8FF741540F3B0CAAB6 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 6196 cmdline: rundll32.exe "C:\Windows\Installer\MSIE0CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7135531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 3264 cmdline: rundll32.exe "C:\Windows\Installer\MSIE39D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7136187 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 6484 cmdline: rundll32.exe "C:\Windows\Installer\MSIF6F7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7141140 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7272 cmdline: rundll32.exe "C:\Windows\Installer\MSI1021.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7147593 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7120 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding CA6DBA366017891C5744CC4FCFEFE125 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 7112 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 5500 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 6152 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 2288 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="shyam@telcoict.com.au" /CompanyId="22" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="21" /AccountId="0013z00002eDbtlAAC" /AgentId="fbcf2d79-fde9-446f-9db8-b915db64fdfb" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 7620 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 4351DC68752ACF7C899C2675605CABA5 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • _isA4D9.exe (PID: 7272 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B352F26-5120-4117-A109-DE650674E7DA} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isA4D9.exe (PID: 7712 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA7BA938-024B-4129-BDD0-6B3FE9E5FB66} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isA4D9.exe (PID: 7696 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0FCA55A-7CF7-49BE-8B56-A74C1EB44F5E} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isA4D9.exe (PID: 5416 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0ADF7E2D-4BB9-42AA-A569-94D9707C001C} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isA4D9.exe (PID: 6812 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{860F9839-DA15-4056-88A7-841AD3A27997} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isA4D9.exe (PID: 7912 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F3231D3-6D37-465A-BC13-63CD6FF9624B} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isA4D9.exe (PID: 7772 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03A40452-2F14-4152-BA66-B5287BBD5C9B} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isA4D9.exe (PID: 8024 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C5ECAA2-1855-4FDF-894D-C85ACC1D9D7D} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isA4D9.exe (PID: 2848 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{05F4BBFC-F955-4195-A522-A30DD645E32B} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • _isA4D9.exe (PID: 1784 cmdline: C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B23DA011-82C1-4020-8602-12398184AECF} MD5: 7A1C100DF8065815DC34C05ABC0C13DE)
      • cmd.exe (PID: 4412 cmdline: C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 7140 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7184 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7660 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "29190784-5aaf-4974-b188-2285218acd1a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 0013z00002eDbtlAAC MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7768 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "7ca2a215-f328-4822-895f-4d13156421e8" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 0013z00002eDbtlAAC MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7980 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "96b12e79-6bed-4b62-b87d-6860669b7bcc" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 0013z00002eDbtlAAC MD5: 31DEF444E6135301EA3C38A985341837)
      • conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 8112 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 8180 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 7092 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "d85a67d4-12c7-47c2-9a5a-d8a5311da246" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 0013z00002eDbtlAAC MD5: 749C51599FBF82422791E0DF1C1E841C)
      • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SplashtopStreamer.exe (PID: 1016 cmdline: "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1 MD5: 6AAE99153C786353C750BF8F5C9779B1)
        • PreVerCheck.exe (PID: 7260 cmdline: "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1 MD5: A7CE785B6CD1C9657040CA9B6CBEED10)
          • msiexec.exe (PID: 7148 cmdline: msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1" MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • AgentPackageMonitoring.exe (PID: 4108 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "e32a6a23-e8d4-4e32-b68d-b03fd8f497a4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 0013z00002eDbtlAAC MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 3196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 7824 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7912 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 1704 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 7456 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Installer\MSI1021.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 62 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000018.00000002.3058266535.0000019BB5444000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              00000021.00000002.2850032441.00000278C4821000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000000C.00000002.1923621881.0000025DAB86C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000018.00000002.3058266535.0000019BB543E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 191 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      20.2.AgentPackageAgentInformation.exe.24228f90000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        35.2.AgentPackageMonitoring.exe.19511510000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          12.0.AteraAgent.exe.25da9b70000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            33.0.AgentPackageSTRemote.exe.278c4620000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              20.0.AgentPackageAgentInformation.exe.24228670000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 2 entries

                                Sigma Signatures

                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: SRCredentialProvider, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 7620, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{97E1814E-5601-41c8-9971-10C319EF61CC}\(Default)
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8112, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 8180, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding CA6DBA366017891C5744CC4FCFEFE125 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7120, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7112, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding CA6DBA366017891C5744CC4FCFEFE125 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7120, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7112, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 7456, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 20%
                                Multi AV Scanner detection for submitted file
                                Source: Le55bnMCON.msiReversingLabs: Detection: 26%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.1% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1514BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,35_2_00007FFDF1514BC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1514E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,35_2_00007FFDF1514E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1514DE0 CryptReleaseContext,35_2_00007FFDF1514DE0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txtJump to behavior
                                Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: 6cdf8b.msi.1.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000023.00000002.2175913604.0000019511B42000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Primitives\net6.0-Release\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1884188018.0000025DA9B72000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SRUSB\Source_RemoteUSB_VH\src\platform\windows\Release\x64\SRUsb.pdb source: SRUsb.exe.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2046334309.0000024228F92000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000023.00000002.2187898705.000001952A442000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Cng\net6.0-windows-Release\System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\net6.0-windows-Release\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2175239542.0000019511AA2000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1884188018.0000025DA9B72000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SRUSB\Source_RemoteUSB_VH\src\platform\windows\Release\x64\SRUsb.pdbH source: SRUsb.exe.1.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2395797543.000001E7F3A02000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2395797543.000001E7F3A02000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189556505.000001952A592000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2187494673.000001952A402000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2022046349.0000024228672000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2175913604.0000019511B42000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\netcoreapp3.1\Microsoft.Win32.TaskScheduler.pdb source: Microsoft.Win32.TaskScheduler.dll0.24.dr
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 00000026.00000000.2224064116.000000000042E000.00000002.00000001.01000000.00000025.sdmp, SplashtopStreamer.exe, 00000026.00000002.2821089649.000000000042E000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\netcoreapp3.1\Microsoft.Win32.TaskScheduler.pdbSHA256 source: Microsoft.Win32.TaskScheduler.dll0.24.dr
                                Source: Binary string: System.IO.IsolatedStorage.ni.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046463798.0000024229082000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2930180120.00000278DD6F0000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\PreVerCheck.pdb source: PreVerCheck.exe, 00000027.00000000.2270771449.0000000000633000.00000002.00000001.01000000.00000026.sdmp, PreVerCheck.exe, 00000027.00000002.2813267530.0000000000633000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046463798.0000024229082000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2930180120.00000278DD6F0000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189556505.000001952A592000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: windoC:\Windows\Pubnub.pdb source: AteraAgent.exe, 00000018.00000002.3056419721.00000077AA837000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Le55bnMCON.msi, 6cdf87.msi.1.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000023.00000002.2175239542.0000019511AA2000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: _isA4D9.exe, 0000002A.00000000.2327305233.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002A.00000002.2329855136.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002B.00000002.2331329936.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002B.00000000.2328334476.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002C.00000002.2332120804.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002C.00000000.2329135416.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002D.00000000.2330306885.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002D.00000002.2333061848.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002E.00000000.2331531385.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002E.00000002.2335401357.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002F.00000000.2334471879.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002F.00000002.2371027260.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000030.00000000.2335921433.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000030.00000002.2338260940.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000031.00000000.2337077702.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000031.00000002.2342759307.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000032.00000000.2338040444.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000032.00000002.2344224301.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000033.00000002.2342596691.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000033.00000000.2340057763.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\net6.0-Release\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2046334309.0000024228F92000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SocketCtrl\Source_SocketCtrl\src\dll\Release\SRSocketCtrl.pdb source: PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: ent.pdb source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5BFD000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.Security.Cryptography.Cng.ni.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2222201537.00007FFDF165A000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SocketCtrl\Source_SocketCtrl\src\dll\Release\SRSocketCtrl.pdb{ source: PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1924805264.0000025DC4112000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1924805264.0000025DC4112000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2187898705.000001952A442000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Le55bnMCON.msi, 6cdf87.msi.1.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.24.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: m.pdb source: AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\lib\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\lib\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B281FFFh12_2_00007FFD9B281FAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B281873h12_2_00007FFD9B28172D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B281A44h12_2_00007FFD9B281A2D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B264ECBh13_2_00007FFD9B264C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B27B982h13_2_00007FFD9B27B72E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B27B982h13_2_00007FFD9B27B92F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B264ECBh13_2_00007FFD9B264E45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B4861F3h13_2_00007FFD9B48609D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B48681Eh13_2_00007FFD9B486765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B486CFCh13_2_00007FFD9B486765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax13_2_00007FFD9B486263
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B261873h13_2_00007FFD9B260C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B26227Bh13_2_00007FFD9B260C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B274ECBh24_2_00007FFD9B274EAF

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Enables network access during safeboot for specific services
                                Source: C:\Windows\SysWOW64\msiexec.exeRegistry value created: NULL Service
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.24228670000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe, type: DROPPED
                                Source: Joe Sandbox ViewIP Address: 40.119.152.241 40.119.152.241
                                Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/23.4/AGENTPACKAGESTREMOTE.ZIP
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C505D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000C.00000000.1884188018.0000025DA9B72000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: rundll32.exe, 00000004.00000002.1861868953.0000000004AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780387000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805AF000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004405000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046686892.00000242292AF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66BC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E024543000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244EB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.000001951218C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: rundll32.exe, 00000004.00000002.1861868953.0000000004AA5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780387000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805AF000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004405000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046686892.00000242292AF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66CF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66BC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E024543000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244EB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.000001951218C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.dr, 6cdf8b.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F32AF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3290000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2380145583.000001E7F2107000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED3B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmp, Le55bnMCON.msi, SRUsb.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.dr, 6cdf8b.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED53000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB657F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924984962.0000025DC4373000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78029E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7806A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3692000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F329E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE80A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE8B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE903000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crtP
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crth
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED3B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED53000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C50FB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C507B000.00000004.00000800.00020000.00000000.sdmp, PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE8B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt&D
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3772000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2047468417.00000242418E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2047468417.00000242418CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED3B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5B1A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2348562257.000001E03CD39000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001F.00000002.2198124194.000002ED7D54E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC401D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F32AF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3290000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2380145583.000001E7F2107000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED3B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmp, Le55bnMCON.msi, SRUsb.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.dr, 6cdf8b.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924984962.0000025DC435E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC4033000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC4006000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC401D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE80A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924984962.0000025DC4373000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78029E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7806A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3692000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F329E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE80A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000C.00000002.1924984962.0000025DC434F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED3B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C50FB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C507B000.00000004.00000800.00020000.00000000.sdmp, PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmp, Le55bnMCON.msiString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC401D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924984962.0000025DC4340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: 6cdf8b.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlw
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.dr, 6cdf8b.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3FD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3FD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crlLow
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC401D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.dr, 6cdf8b.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE80A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB696A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB657F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC4033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl$Y
                                Source: AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924984962.0000025DC4373000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78029E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7806A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3692000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F329E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE80A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE8B7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE903000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl6
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl8
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC4033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlOXT6
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC4033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlfY?5
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC4033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlv
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlxw
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.dr, 6cdf8b.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1924984962.0000025DC4364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                                Source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5BD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                                Source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5BFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdowR7
                                Source: AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                                Source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabonK
                                Source: AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE860000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab4
                                Source: AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?15776c8
                                Source: AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3d47c1e
                                Source: AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4d748c7
                                Source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?64342e8
                                Source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8ad9460
                                Source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8d9e77f
                                Source: AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE8F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c6bf837
                                Source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d935bcd
                                Source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5BD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f0390f1
                                Source: AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff657aa
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabS
                                Source: AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabY
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/vi
                                Source: AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE7C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/truste
                                Source: AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE7C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?81e1
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8ad9
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8d9e
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f039
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C509F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2022046349.0000024228672000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C509F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2189556505.000001952A592000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C505D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.dgi
                                Source: AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE8B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRMt
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3FD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC401D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC401D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/l
                                Source: AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924984962.0000025DC4373000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78029E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7806A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3692000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F329E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE80A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3772000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2047468417.00000242418E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2047468417.00000242418CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED3B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5B1A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2348562257.000001E03CD39000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000001F.00000002.2198124194.000002ED7D54E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F32AF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3290000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2380145583.000001E7F2107000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED3B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmp, Le55bnMCON.msi, SRUsb.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.dr, 6cdf8b.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED3B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED53000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C50FB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C507B000.00000004.00000800.00020000.00000000.sdmp, PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://c
                                Source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE8B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE8B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crtit
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3FD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3104741258.0000019BCE796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6641000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                                Source: AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046686892.0000024229203000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0242F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.drString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2175576254.0000019511AF2000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3772000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
                                Source: AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F32C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                                Source: AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F32C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB696A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB657F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924984962.0000025DC4373000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802A9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7802F6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78029E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7806A4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3692000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F329E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPSoSsr
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPStopS
                                Source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3B50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                                Source: 6cdf8b.msi.1.drString found in binary or memory: http://www.flexerasoftware.com0
                                Source: AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E024589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P2~
                                Source: rundll32.exe, 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDf
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046686892.0000024229203000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66BC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244EB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0242F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E024589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Prh
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Pro
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2046686892.0000024229203000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244EB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780387000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780387000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Acknowl
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780387000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB657F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2046686892.0000024229203000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands)
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesiChannelSubscribeRequest
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0242F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E024589000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E024589000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E024383000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244EB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/fbcf2d79-fde9-446f-9db8-b915db64fdfb
                                Source: rundll32.exe, 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000004.00000002.1861868953.0000000004AC6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780387000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.comh
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.comh2
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.comhBo
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
                                Source: AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C5083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C5083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C505D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C507F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.3.exe
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046463798.0000024229082000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2930180120.00000278DD6F0000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189556505.000001952A592000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: Microsoft.Win32.TaskScheduler.dll0.24.drString found in binary or memory: https://github.com/dahall/taskscheduler
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                                Source: System.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Security.Cryptography.Cng.dll.1.dr, System.Reflection.Emit.dll.1.drString found in binary or memory: https://github.com/dotnet/runtime
                                Source: AteraAgent.exe, 0000000D.00000002.2395797543.000001E7F3A02000.00000002.00000001.01000000.00000029.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C5058000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000021.00000000.2105794495.00000278C4622000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189398737.000001952A588000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateHz
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7803CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAg
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7803B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAge
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780340000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78019C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7803CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780340000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78019C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.9/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7803CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/20.1/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/26.0/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7803CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/27.6/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTicketing/13.0/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/27.1/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E14000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip?TV4U36
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?TV4U36qfng
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780340000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78019C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.9/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMoni
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?TV4U3
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7803CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.1/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.0/AgentPackageProgramManage
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageST
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip?TV4U36qfn
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7803CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.6/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip?TV4U36q
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7801D8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780340000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78019C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoriP
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemo0
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSystemTools/18.9/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000000.2105794495.00000278C4622000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000000.2105794495.00000278C4622000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78054F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB667D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6667000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66F3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6683000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6641000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6854000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78054F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E7800FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB667D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CA3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6667000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66F3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6683000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6641000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66BC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB696E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6854000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2b173d0e-2550-4ff5-aea3-7f5355b2456b
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3a251339-3e59-4c6b-ab71-e6bac82c5bc4
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6667000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=76f279a6-9657-4bc1-af29-5ad914073c8b
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=82f65192-35a6-4baa-b7c0-3ae6a38ca2c1
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7800FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8c4940d7-6468-4110-952b-b2cf796c4fd8
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8ea1cf17-bcfa-4bc8-ac90-b38d9f8529aa
                                Source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=deb5ed17-32ce-44ff-8808-09cab14ce0c0
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6667000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6641000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6641000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_k
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/fbcf2d79
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/su
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/fbcf2d79-fde9-446f-
                                Source: AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/fbcf2d79-fde9-446f-9db8
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2187898705.000001952A442000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188329818.000001952A4A4000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2187898705.000001952A442000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.dr, 6cdf8b.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2189556505.000001952A592000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189398737.000001952A588000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046463798.0000024229082000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2930180120.00000278DD6F0000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189556505.000001952A592000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://www.openssl.org/H
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2223243014.00007FFDF16A4000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6cdf85.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE0CD.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE39D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6F7.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF90B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF91C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF96B.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFA66.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6cdf87.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6cdf87.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1021.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6cdf88.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA212.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA2DE.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA408.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBD8C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC1F2.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6cdf8b.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6cdf8b.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1217.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI15A2.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FB3.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4908.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5BB6.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6cdf8d.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6D7A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7655.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\CustomAction.configJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\system32\SRC92E.tmp
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\system32\SRC92E.tmp
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIE0CD.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_048A76784_3_048A7678
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_048A00404_3_048A0040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_046A50B85_3_046A50B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_046A59A85_3_046A59A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_046A4D685_3_046A4D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B28C92212_2_00007FFD9B28C922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B28BB7612_2_00007FFD9B28BB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B281C0E13_2_00007FFD9B281C0E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B27C9DD13_2_00007FFD9B27C9DD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B28389013_2_00007FFD9B283890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B27C93013_2_00007FFD9B27C930
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B27901313_2_00007FFD9B279013
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B27CE9013_2_00007FFD9B27CE90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B271CF013_2_00007FFD9B271CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B269AF213_2_00007FFD9B269AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B27CF7813_2_00007FFD9B27CF78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B4793BD13_2_00007FFD9B4793BD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B47E2FA13_2_00007FFD9B47E2FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B47693513_2_00007FFD9B476935
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B47AC9713_2_00007FFD9B47AC97
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B480FF013_2_00007FFD9B480FF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B48100013_2_00007FFD9B481000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B480EA613_2_00007FFD9B480EA6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B480F0213_2_00007FFD9B480F02
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B260C5813_2_00007FFD9B260C58
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0677EDC816_3_0677EDC8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0685767816_3_06857678
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0685004016_3_06850040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B25FA9420_2_00007FFD9B25FA94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B2578D620_2_00007FFD9B2578D6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B2610C020_2_00007FFD9B2610C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B263FFA20_2_00007FFD9B263FFA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B25868220_2_00007FFD9B258682
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B27047D20_2_00007FFD9B27047D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B2512FB20_2_00007FFD9B2512FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B25BDB020_2_00007FFD9B25BDB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B2564A520_2_00007FFD9B2564A5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B2812FB22_2_00007FFD9B2812FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B279EDF24_2_00007FFD9B279EDF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B281D8B24_2_00007FFD9B281D8B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B28033824_2_00007FFD9B280338
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B27EA2824_2_00007FFD9B27EA28
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B27895627_2_00007FFD9B278956
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B28600B27_2_00007FFD9B28600B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B27CE0927_2_00007FFD9B27CE09
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B27FC5D27_2_00007FFD9B27FC5D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B2712FA27_2_00007FFD9B2712FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B2740F827_2_00007FFD9B2740F8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B27183527_2_00007FFD9B271835
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B27465F27_2_00007FFD9B27465F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B2966B027_2_00007FFD9B2966B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B27970227_2_00007FFD9B279702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B28265527_2_00007FFD9B282655
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B27C47F27_2_00007FFD9B27C47F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B285B3127_2_00007FFD9B285B31
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B279F9327_2_00007FFD9B279F93
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B279FBF27_2_00007FFD9B279FBF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B28D35027_2_00007FFD9B28D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B27421A27_2_00007FFD9B27421A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B29009827_2_00007FFD9B290098
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B27073027_2_00007FFD9B270730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B2882FB33_2_00007FFD9B2882FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B2951C833_2_00007FFD9B2951C8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B283EFA33_2_00007FFD9B283EFA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B296F5933_2_00007FFD9B296F59
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B2915FD33_2_00007FFD9B2915FD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B2815FA33_2_00007FFD9B2815FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B29847633_2_00007FFD9B298476
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B285C6833_2_00007FFD9B285C68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B29F1D333_2_00007FFD9B29F1D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B29F0C533_2_00007FFD9B29F0C5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B28083833_2_00007FFD9B280838
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF158B88035_2_00007FFDF158B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF16401E035_2_00007FFDF16401E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF16320E035_2_00007FFDF16320E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF163696035_2_00007FFDF1636960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15011B035_2_00007FFDF15011B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF156F1B035_2_00007FFDF156F1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF159917035_2_00007FFDF1599170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF157F22035_2_00007FFDF157F220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF161320035_2_00007FFDF1613200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF16350F035_2_00007FFDF16350F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15293D035_2_00007FFDF15293D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF159B37035_2_00007FFDF159B370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15DF3E035_2_00007FFDF15DF3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150D28435_2_00007FFDF150D284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150F34035_2_00007FFDF150F340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF159D35035_2_00007FFDF159D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF151564035_2_00007FFDF1515640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF156B64735_2_00007FFDF156B647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF154F63035_2_00007FFDF154F630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150D63435_2_00007FFDF150D634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15074B035_2_00007FFDF15074B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150347435_2_00007FFDF1503474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150955C35_2_00007FFDF150955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF155F78035_2_00007FFDF155F780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF164F79035_2_00007FFDF164F790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF154D77035_2_00007FFDF154D770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF165184035_2_00007FFDF1651840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF151D83035_2_00007FFDF151D830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15F56D035_2_00007FFDF15F56D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15A169035_2_00007FFDF15A1690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15A772035_2_00007FFDF15A7720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15736E035_2_00007FFDF15736E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF156B9F035_2_00007FFDF156B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15618DA35_2_00007FFDF15618DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF152D91035_2_00007FFDF152D910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1549BA035_2_00007FFDF1549BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15EDB8035_2_00007FFDF15EDB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1643C2035_2_00007FFDF1643C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF152BBE035_2_00007FFDF152BBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1535AD035_2_00007FFDF1535AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1539A6035_2_00007FFDF1539A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15B7A6035_2_00007FFDF15B7A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1567B3035_2_00007FFDF1567B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15A3AF035_2_00007FFDF15A3AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1515E5035_2_00007FFDF1515E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1533E1035_2_00007FFDF1533E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15DDCC035_2_00007FFDF15DDCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15EBCD035_2_00007FFDF15EBCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15D7D2035_2_00007FFDF15D7D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1549CF035_2_00007FFDF1549CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF159FED035_2_00007FFDF159FED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15B5EA035_2_00007FFDF15B5EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15A7EA035_2_00007FFDF15A7EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1583EB035_2_00007FFDF1583EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1507EC035_2_00007FFDF1507EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1547E7035_2_00007FFDF1547E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1595F2035_2_00007FFDF1595F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1539F3035_2_00007FFDF1539F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1517F3035_2_00007FFDF1517F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF155FEF035_2_00007FFDF155FEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF157224035_2_00007FFDF1572240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15BC22035_2_00007FFDF15BC220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF159A0C035_2_00007FFDF159A0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15A40A035_2_00007FFDF15A40A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF158C11035_2_00007FFDF158C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15A22B035_2_00007FFDF15A22B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF152033035_2_00007FFDF1520330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF152231035_2_00007FFDF1522310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15C831035_2_00007FFDF15C8310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15AA2F035_2_00007FFDF15AA2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF16205D035_2_00007FFDF16205D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15085D435_2_00007FFDF15085D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15BA5D035_2_00007FFDF15BA5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF163E5B035_2_00007FFDF163E5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15BE59035_2_00007FFDF15BE590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15E659035_2_00007FFDF15E6590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF158060035_2_00007FFDF1580600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15144DC35_2_00007FFDF15144DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15664A035_2_00007FFDF15664A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF158455035_2_00007FFDF1584550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150A52435_2_00007FFDF150A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF155051035_2_00007FFDF1550510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150E80C35_2_00007FFDF150E80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF159A7E035_2_00007FFDF159A7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF163C68035_2_00007FFDF163C680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF151E72035_2_00007FFDF151E720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF151273835_2_00007FFDF1512738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF155E99035_2_00007FFDF155E990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1508A3C35_2_00007FFDF1508A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15588A035_2_00007FFDF15588A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15028C035_2_00007FFDF15028C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF151886035_2_00007FFDF1518860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15C686035_2_00007FFDF15C6860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15F691035_2_00007FFDF15F6910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1558B9035_2_00007FFDF1558B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15ACC0035_2_00007FFDF15ACC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1526A8035_2_00007FFDF1526A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1548A6035_2_00007FFDF1548A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15CAA7035_2_00007FFDF15CAA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF157CB5035_2_00007FFDF157CB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15EAB0035_2_00007FFDF15EAB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1504DB435_2_00007FFDF1504DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF163CD6035_2_00007FFDF163CD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1560E3035_2_00007FFDF1560E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1516CC035_2_00007FFDF1516CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF154ACD035_2_00007FFDF154ACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1634C8035_2_00007FFDF1634C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1586D2035_2_00007FFDF1586D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1650D3035_2_00007FFDF1650D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15C8D2035_2_00007FFDF15C8D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1574D0035_2_00007FFDF1574D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF159EFD035_2_00007FFDF159EFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF154AFB035_2_00007FFDF154AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1512F8C35_2_00007FFDF1512F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF154902035_2_00007FFDF1549020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150CEA835_2_00007FFDF150CEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF152CE7035_2_00007FFDF152CE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B25ED6D35_2_00007FFD9B25ED6D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B25603935_2_00007FFD9B256039
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B25BD6135_2_00007FFD9B25BD61
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B2594FA35_2_00007FFD9B2594FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B4732A635_2_00007FFD9B4732A6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B47F08835_2_00007FFD9B47F088
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B47255835_2_00007FFD9B472558
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B4724E835_2_00007FFD9B4724E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B5812CF35_2_00007FFD9B5812CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B583C7135_2_00007FFD9B583C71
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B584D1735_2_00007FFD9B584D17
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B5812FB35_2_00007FFD9B5812FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B580CB035_2_00007FFD9B580CB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B57950535_2_00007FFD9B579505
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B644F8835_2_00007FFD9B644F88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B64346A35_2_00007FFD9B64346A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B64EDB835_2_00007FFD9B64EDB8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B640B7735_2_00007FFD9B640B77
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B658D7F35_2_00007FFD9B658D7F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B7E6A6735_2_00007FFD9B7E6A67
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B7F3A8A35_2_00007FFD9B7F3A8A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B7E9C6535_2_00007FFD9B7E9C65
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B7E04C935_2_00007FFD9B7E04C9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF1651D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF1651B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF16506B0 appears 145 times
                                Source: System.Runtime.CompilerServices.VisualC.dll.1.drStatic PE information: No import functions for PE file found
                                Source: mscorrc.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Collections.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Net.NameResolution.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.IO.Compression.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Runtime.InteropServices.RuntimeInformation.dll.1.drStatic PE information: No import functions for PE file found
                                Source: Microsoft.Win32.Registry.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Collections.Specialized.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.ComponentModel.EventBasedAsync.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Linq.dll.1.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Data.Common.dll.1.drStatic PE information: No import functions for PE file found
                                Source: System.Reflection.DispatchProxy.dll.1.drStatic PE information: No import functions for PE file found
                                Source: Le55bnMCON.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs Le55bnMCON.msi
                                Source: Le55bnMCON.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs Le55bnMCON.msi
                                Source: Le55bnMCON.msiBinary or memory string: OriginalFilenamewixca.dll\ vs Le55bnMCON.msi
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@195/1021@0/9
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: NULL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7920:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8120:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5560:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3196:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7668:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7776:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8012:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7192:120:WilError_03
                                Source: C:\Windows\Temp\SplashtopStreamer.exeMutant created: \BaseNamedObjects\Global\{47B9233E-7E50-46F2-B442-6A53F0D0F508}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6152:120:WilError_03
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF9E3106EBFEFF2114.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE0CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7135531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@X9v
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2222201537.00007FFDF165A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@X9v
                                Source: 6cdf8b.msi.1.drBinary or memory string: SELECT Feature_ FROM ISSetupTypeFeatures WHERE ISSetupType_ = '%s'SetupType.cppsysnativesyswow64SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs[Win32]SharedFiles.cpp;Page UpPage DownEndHomeLeftUpRightDownInsertNum *Num /Num +Num -
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2222201537.00007FFDF165A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2222201537.00007FFDF165A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@X9v
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2222201537.00007FFDF165A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2222201537.00007FFDF165A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2190647233.000001952B175000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);R
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2190647233.000001952B175000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2222201537.00007FFDF165A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.00000195121BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.00000195121BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@X9v
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2222201537.00007FFDF165A000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@X9v
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: Le55bnMCON.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: Le55bnMCON.msiReversingLabs: Detection: 26%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Le55bnMCON.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CAAC4898E5F21B8FF741540F3B0CAAB6
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE0CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7135531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE39D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7136187 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF6F7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7141140 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CA6DBA366017891C5744CC4FCFEFE125 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="shyam@telcoict.com.au" /CompanyId="22" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="21" /AccountId="0013z00002eDbtlAAC" /AgentId="fbcf2d79-fde9-446f-9db8-b915db64fdfb"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1021.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7147593 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "29190784-5aaf-4974-b188-2285218acd1a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "7ca2a215-f328-4822-895f-4d13156421e8" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "96b12e79-6bed-4b62-b87d-6860669b7bcc" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "d85a67d4-12c7-47c2-9a5a-d8a5311da246" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "e32a6a23-e8d4-4e32-b68d-b03fd8f497a4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\SplashtopStreamer.exeProcess created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4351DC68752ACF7C899C2675605CABA5 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B352F26-5120-4117-A109-DE650674E7DA}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA7BA938-024B-4129-BDD0-6B3FE9E5FB66}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0FCA55A-7CF7-49BE-8B56-A74C1EB44F5E}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0ADF7E2D-4BB9-42AA-A569-94D9707C001C}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{860F9839-DA15-4056-88A7-841AD3A27997}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F3231D3-6D37-465A-BC13-63CD6FF9624B}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03A40452-2F14-4152-BA66-B5287BBD5C9B}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C5ECAA2-1855-4FDF-894D-C85ACC1D9D7D}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{05F4BBFC-F955-4195-A522-A30DD645E32B}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B23DA011-82C1-4020-8602-12398184AECF}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CAAC4898E5F21B8FF741540F3B0CAAB6Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CA6DBA366017891C5744CC4FCFEFE125 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="shyam@telcoict.com.au" /CompanyId="22" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="21" /AccountId="0013z00002eDbtlAAC" /AgentId="fbcf2d79-fde9-446f-9db8-b915db64fdfb"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4351DC68752ACF7C899C2675605CABA5 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE0CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7135531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE39D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7136187 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF6F7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7141140 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1021.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7147593 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "29190784-5aaf-4974-b188-2285218acd1a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "7ca2a215-f328-4822-895f-4d13156421e8" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "96b12e79-6bed-4b62-b87d-6860669b7bcc" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "d85a67d4-12c7-47c2-9a5a-d8a5311da246" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "e32a6a23-e8d4-4e32-b68d-b03fd8f497a4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03A40452-2F14-4152-BA66-B5287BBD5C9B}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\SplashtopStreamer.exeProcess created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B352F26-5120-4117-A109-DE650674E7DA}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA7BA938-024B-4129-BDD0-6B3FE9E5FB66}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0FCA55A-7CF7-49BE-8B56-A74C1EB44F5E}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0ADF7E2D-4BB9-42AA-A569-94D9707C001C}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{860F9839-DA15-4056-88A7-841AD3A27997}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F3231D3-6D37-465A-BC13-63CD6FF9624B}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03A40452-2F14-4152-BA66-B5287BBD5C9B}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C5ECAA2-1855-4FDF-894D-C85ACC1D9D7D}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{05F4BBFC-F955-4195-A522-A30DD645E32B}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B23DA011-82C1-4020-8602-12398184AECF}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA7BA938-024B-4129-BDD0-6B3FE9E5FB66}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{05F4BBFC-F955-4195-A522-A30DD645E32B}
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: smphost.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mispace.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sxshared.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmiclnt.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wevtapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: virtdisk.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: resutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: clusapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmitomi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fastprox.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: cscapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fmifs.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile written: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.iniJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dllJump to behavior
                                Source: Le55bnMCON.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: 6cdf8b.msi.1.dr
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000023.00000002.2175913604.0000019511B42000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Primitives\net6.0-Release\System.IO.FileSystem.Primitives.pdb source: System.IO.FileSystem.Primitives.dll.1.dr
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1884188018.0000025DA9B72000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SRUSB\Source_RemoteUSB_VH\src\platform\windows\Release\x64\SRUsb.pdb source: SRUsb.exe.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000014.00000002.2046334309.0000024228F92000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000023.00000002.2187898705.000001952A442000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.Cng\net6.0-windows-Release\System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.IsolatedStorage\net6.0-windows-Release\System.IO.IsolatedStorage.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2175239542.0000019511AA2000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1884188018.0000025DA9B72000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SRUSB\Source_RemoteUSB_VH\src\platform\windows\Release\x64\SRUsb.pdbH source: SRUsb.exe.1.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2395797543.000001E7F3A02000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2395797543.000001E7F3A02000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189556505.000001952A592000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2187494673.000001952A402000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2022046349.0000024228672000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2175913604.0000019511B42000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\netcoreapp3.1\Microsoft.Win32.TaskScheduler.pdb source: Microsoft.Win32.TaskScheduler.dll0.24.dr
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 00000026.00000000.2224064116.000000000042E000.00000002.00000001.01000000.00000025.sdmp, SplashtopStreamer.exe, 00000026.00000002.2821089649.000000000042E000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\netcoreapp3.1\Microsoft.Win32.TaskScheduler.pdbSHA256 source: Microsoft.Win32.TaskScheduler.dll0.24.dr
                                Source: Binary string: System.IO.IsolatedStorage.ni.pdb source: System.IO.IsolatedStorage.dll.1.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046463798.0000024229082000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2930180120.00000278DD6F0000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\PreVerCheck.pdb source: PreVerCheck.exe, 00000027.00000000.2270771449.0000000000633000.00000002.00000001.01000000.00000026.sdmp, PreVerCheck.exe, 00000027.00000002.2813267530.0000000000633000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046463798.0000024229082000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2930180120.00000278DD6F0000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189556505.000001952A592000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: windoC:\Windows\Pubnub.pdb source: AteraAgent.exe, 00000018.00000002.3056419721.00000077AA837000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Le55bnMCON.msi, 6cdf87.msi.1.dr
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000023.00000002.2175239542.0000019511AA2000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: _isA4D9.exe, 0000002A.00000000.2327305233.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002A.00000002.2329855136.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002B.00000002.2331329936.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002B.00000000.2328334476.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002C.00000002.2332120804.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002C.00000000.2329135416.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002D.00000000.2330306885.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002D.00000002.2333061848.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002E.00000000.2331531385.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002E.00000002.2335401357.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002F.00000000.2334471879.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 0000002F.00000002.2371027260.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000030.00000000.2335921433.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000030.00000002.2338260940.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000031.00000000.2337077702.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000031.00000002.2342759307.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000032.00000000.2338040444.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000032.00000002.2344224301.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000033.00000002.2342596691.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp, _isA4D9.exe, 00000033.00000000.2340057763.00007FF6B0A77000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\net6.0-Release\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000014.00000002.2046334309.0000024228F92000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SocketCtrl\Source_SocketCtrl\src\dll\Release\SRSocketCtrl.pdb source: PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: ent.pdb source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5BFD000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: System.Security.Cryptography.Cng.ni.pdb source: System.Security.Cryptography.Cng.dll.1.dr
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2222201537.00007FFDF165A000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: c:\slave\workspace\GIT_WIN_Comp_SocketCtrl\Source_SocketCtrl\src\dll\Release\SRSocketCtrl.pdb{ source: PreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1924805264.0000025DC4112000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1924805264.0000025DC4112000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2187898705.000001952A442000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Le55bnMCON.msi, 6cdf87.msi.1.dr
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.24.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: m.pdb source: AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmp
                                Source: System.Threading.ThreadPool.dll.1.drStatic PE information: 0xF692D8AA [Wed Feb 2 20:20:58 2101 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1511910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDF1511910
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_048A4ECF push dword ptr [esp+ecx*2-75h]; ret 4_3_048A4ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B26A0F3 push eax; retf 13_2_00007FFD9B26A119
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B26C540 push ebp; retf 13_2_00007FFD9B26C5F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B280AFB pushad ; ret 13_2_00007FFD9B280B01
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B470F64 push eax; ret 13_2_00007FFD9B470F94
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_067757B8 push es; ret 16_3_06775840
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_06774E90 push es; ret 16_3_06774EA0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_0677576F push es; ret 16_3_06775840
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_06775850 push es; ret 16_3_067758C0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_06854ECF push dword ptr [esp+ecx*2-75h]; ret 16_3_06854ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B2825F2 push eax; iretd 24_2_00007FFD9B282671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B27A648 push eax; retf 24_2_00007FFD9B27A659
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B4836C0 push eax; ret 24_2_00007FFD9B483704
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B4870C8 push ecx; retf 5F38h24_2_00007FFD9B48D84C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B48754D push ebx; iretd 24_2_00007FFD9B48756A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 24_2_00007FFD9B4800F2 push 00000008h; iretd 24_2_00007FFD9B4800F4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B28D168 pushad ; iretd 27_2_00007FFD9B29AA45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B283A4D push ebx; retf 27_2_00007FFD9B283A6A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B28792B push ebx; retf 27_2_00007FFD9B28796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B28FFB8 push FFFFFFE8h; retf 27_2_00007FFD9B28FFF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B28FEFA push FFFFFFE8h; retf 27_2_00007FFD9B28FFF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B272DB0 push eax; ret 27_2_00007FFD9B272E1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 27_2_00007FFD9B288163 push ebx; ret 27_2_00007FFD9B28816A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B2951C8 push edx; iretd 33_2_00007FFD9B296E3B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B297C2E pushad ; retf 33_2_00007FFD9B297C5D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B29699C push eax; ret 33_2_00007FFD9B29699D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B287963 push ebx; retf 33_2_00007FFD9B28796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B2800BD pushad ; iretd 33_2_00007FFD9B2800C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B296DF9 push edx; iretd 33_2_00007FFD9B296E3B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B297C5E push eax; retf 33_2_00007FFD9B297C6D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B29F4FA push FFFFFFE8h; retf 33_2_00007FFD9B29F5F1
                                Source: System.Linq.dll.1.drStatic PE information: section name: .text entropy: 6.8378154934993045

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Sample is not signed and drops a device driver
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FB3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4908.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5BB6.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6F7.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE0CD.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF91C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE39D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6D7A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI15A2.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF96B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1021.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA212.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBD8C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA408.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFA66.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA2DE.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeFile created: C:\Windows\Temp\unpack\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\_is34E4.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFA66.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\ISRT.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE39D.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FB3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF96B.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6D7A.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{5D77C7D0-2B42-43DD-B046-01569333E5F2}\ISRT.dllJump to dropped file
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile created: C:\Windows\Temp\unpack\PreVerCheck.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{5D77C7D0-2B42-43DD-B046-01569333E5F2}\_isC1.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{5D77C7D0-2B42-43DD-B046-01569333E5F2}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF6F7.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA212.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\ISRT.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBD8C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA2DE.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1021.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1021.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\_isA7F2.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeFile created: C:\Windows\Temp\unpack\libcrypto-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA408.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI4908.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\System32\SRC92E.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\_is19F8.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE0CD.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\ISRT.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE0CD.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE39D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF91C.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI15A2.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\ISRT.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeFile created: C:\Windows\Temp\unpack\libssl-3.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\system32\SRCredentialProvider.dll (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIF6F7.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5BB6.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txtJump to behavior

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\Splashtop Streamer.lnk
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,35_2_00007FFDF150A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 25DAB680000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 25DC36F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1E7F2800000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1E7F2BD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 242288D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 24241180000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 24AD7240000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 24AEF790000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 19BB5560000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 19BCDC20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E023D80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1E03C2F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 278C4DE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 278DCF00000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 195114E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 19529C10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B476526 rdtsc 35_2_00007FFD9B476526
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599217
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598229
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597996
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596787
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596665
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596543
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596436
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596315
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599746
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599639
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599529
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599398
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598358
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597967
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597584
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597244
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597129
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596979
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596842
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596729
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596400
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596295
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595714
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595559
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595449
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595331
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595212
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594963
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594405
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593527
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592874
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3655
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6057
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 9038
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 371
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 6522
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 2620
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 6673
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 3017
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3217
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2FB3.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF6F7.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI4908.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\ISRT.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF6F7.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5BB6.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1021.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF6F7.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE0CD.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\ISRT.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1021.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE0CD.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE39D.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF6F7.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1021.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE39D.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF91C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\system32\SRCredentialProvider.dll (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE39D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6D7A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI15A2.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeDropped PE file which has not been started: C:\Windows\Temp\unpack\libssl-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeDropped PE file which has not been started: C:\Windows\Temp\unpack\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\ISRT.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF96B.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1021.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE0CD.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dllJump to dropped file
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeDropped PE file which has not been started: C:\Windows\Temp\unpack\libcrypto-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\SRC92E.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\_isres_0x0409.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 1800Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7116Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1700Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1696Thread sleep count: 3655 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1696Thread sleep count: 6057 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7320Thread sleep time: -27670116110564310s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7320Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7352Thread sleep time: -150000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7364Thread sleep time: -5534023222112862s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7348Thread sleep time: -180000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7416Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7736Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7712Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7820Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7872Thread sleep count: 9038 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7864Thread sleep count: 371 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5516Thread sleep count: 36 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5516Thread sleep time: -33204139332677172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7220Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 404Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8140Thread sleep count: 6522 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8144Thread sleep count: 2620 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep count: 33 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -30437127721620741s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -599875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -599656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -599547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -599437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -599328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -599217s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -599109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -599000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -598890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -598781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -598672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -598561s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -598453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -598344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -598229s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -598109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -597996s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -597547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -597234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -597125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -597015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -596906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -596787s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -596665s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -596543s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -596436s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -596315s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -596187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -596078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -595969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -595844s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -595734s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -595625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -595515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -595406s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -595297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7100Thread sleep time: -595187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7288Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep count: 37 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -34126476536362649s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 1076Thread sleep count: 6673 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -599859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -599746s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -599639s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -599529s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -599398s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -599265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -599109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -598738s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -598358s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -598220s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -598093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -597967s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -597859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -597702s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -597584s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -597453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -597244s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -597129s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 1076Thread sleep count: 3017 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -596979s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -596842s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -596729s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -596624s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -596515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -596400s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -596295s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -596187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -596077s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -595968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -595856s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -595714s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -595559s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -595449s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -595331s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -595212s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -595093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -594963s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -594843s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -594734s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -594624s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -594515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -594405s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -594296s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -594187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -594078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -593968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -593859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -593750s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -593640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -593527s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -593421s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -593312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -593202s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -593093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -592984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -592874s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -592765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 7400Thread sleep time: -592656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3796Thread sleep count: 3217 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5304Thread sleep time: -7378697629483816s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5304Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6584Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2792Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\Temp\SplashtopStreamer.exe TID: 5344Thread sleep time: -60000s >= -30000s
                                Source: C:\Windows\SysWOW64\msiexec.exe TID: 7332Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599217
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598229
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597996
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596787
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596665
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596543
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596436
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596315
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595406
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599746
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599639
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599529
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599398
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598358
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597967
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597584
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597244
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597129
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596979
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596842
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596729
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596400
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596295
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595714
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595559
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595449
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595331
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595212
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594963
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594405
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593750
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593527
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592874
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\lib\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\lib\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\
                                Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\
                                Source: svchost.exe, 00000025.00000003.2268100569.000002A794744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: svchost.exe, 00000025.00000002.3055673701.000002A794252000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m0VMware Virtual disk6000c2942fce4d06663969f532e45d1aSP2.0
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2328116682.000001E023B84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2346957694.000001E03CC12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"l=
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: svchost.exe, 00000025.00000002.3055115251.000002A794200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C2942FCE4D06663969F532E45D1A#
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped:
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2348562257.000001E03CCD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: svchost.exe, 00000025.00000002.3055673701.000002A794252000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC4033000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3772000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F32C6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3107381795.0000019BCE8F3000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2191541804.000001952B2E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: svchost.exe, 00000025.00000002.3056004732.000002A79429C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: svchost.exe, 00000025.00000003.2268100569.000002A794744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2328116682.000001E023B09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: rundll32.exe, 00000010.00000002.1979969598.000000000081E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStoppedk
                                Source: AgentPackageAgentInformation.exe, 00000014.00000000.2022046349.0000024228672000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: svchost.exe, 00000025.00000002.3055389328.000002A794213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C2942FCE4D06663969F532E45D1A
                                Source: rundll32.exe, 00000004.00000002.1860763410.0000000000A3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
                                Source: svchost.exe, 00000025.00000002.3056106445.000002A7942CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@SetPropValue.Manufacturer("VMware");
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2345160443.000001E03CB80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2345160443.000001E03CB80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2173998714.0000019511512000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: vmware
                                Source: svchost.exe, 00000025.00000002.3055673701.000002A794252000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: svchost.exe, 00000025.00000002.3056106445.000002A7942B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2328116682.000001E023B84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347322855.000001E03CC3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AteraAgent.exe, 0000000D.00000002.2386760973.000001E7F3692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWts.digicert.comDigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2328116682.000001E023B84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2346957694.000001E03CC12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2345160443.000001E03CB80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2328116682.000001E023B84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedlln/AtI
                                Source: svchost.exe, 00000025.00000002.3055673701.000002A794252000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: svchost.exe, 00000025.00000002.3056106445.000002A7942B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @"VMware"0"k"
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown#
                                Source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5B1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW/
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: svchost.exe, 00000025.00000002.3055507839.000002A79422B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                Source: svchost.exe, 00000025.00000002.3055743359.000002A79427D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN
                                Source: AteraAgent.exe, 00000018.00000002.3060869735.0000019BB5B5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2345160443.000001E03CB80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped1
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2047468417.0000024241840000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2348232355.000001E03CCB0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2935696263.00000278DD7A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AteraAgent.exe, 0000000C.00000002.1924284253.0000025DC3FD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP2
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2328116682.000001E023B09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                                Source: svchost.exe, 00000025.00000002.3056004732.000002A79429C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                                Source: AteraAgent.exe, 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2173998714.0000019511512000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: svchost.exe, 00000025.00000002.3055673701.000002A794252000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0nSS @
                                Source: svchost.exe, 00000025.00000002.3055743359.000002A794268000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: svchost.exe, 00000025.00000003.2268100569.000002A794744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2346957694.000001E03CC12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicheartbeat"P=6LS
                                Source: svchost.exe, 00000025.00000002.3055115251.000002A794200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A0VMwareVirtual disk6000c2942fce4d06663969f532e45d1a2.0
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat%
                                Source: AgentPackageAgentInformation.exe, 0000001B.00000002.2345160443.000001E03CB80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStoppedl
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B476526 rdtsc 35_2_00007FFD9B476526
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1511910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDF1511910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF154B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,35_2_00007FFDF154B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1511910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDF1511910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF1507A84 GetProcessHeap,35_2_00007FFDF1507A84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00007FFDF150ACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="shyam@telcoict.com.au" /CompanyId="22" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="21" /AccountId="0013z00002eDbtlAAC" /AgentId="fbcf2d79-fde9-446f-9db8-b915db64fdfb"Jump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "29190784-5aaf-4974-b188-2285218acd1a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "7ca2a215-f328-4822-895f-4d13156421e8" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "96b12e79-6bed-4b62-b87d-6860669b7bcc" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "d85a67d4-12c7-47c2-9a5a-d8a5311da246" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "e32a6a23-e8d4-4e32-b68d-b03fd8f497a4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 0013z00002eDbtlAAC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03A40452-2F14-4152-BA66-B5287BBD5C9B}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\SplashtopStreamer.exeProcess created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\Temp\unpack\PreVerCheck.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="shyam@telcoict.com.au" /companyid="22" /integratorloginui="" /companyidui="" /folderid="21" /accountid="0013z00002edbtlaac" /agentid="fbcf2d79-fde9-446f-9db8-b915db64fdfb"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "29190784-5aaf-4974-b188-2285218acd1a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 0013z00002edbtlaac
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "7ca2a215-f328-4822-895f-4d13156421e8" agent-api.atera.com/production 443 or8ixli90mf "identified" 0013z00002edbtlaac
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "96b12e79-6bed-4b62-b87d-6860669b7bcc" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 0013z00002edbtlaac
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "d85a67d4-12c7-47c2-9a5a-d8a5311da246" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 0013z00002edbtlaac
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "e32a6a23-e8d4-4e32-b68d-b03fd8f497a4" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 0013z00002edbtlaac
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="shyam@telcoict.com.au" /companyid="22" /integratorloginui="" /companyidui="" /folderid="21" /accountid="0013z00002edbtlaac" /agentid="fbcf2d79-fde9-446f-9db8-b915db64fdfb"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "29190784-5aaf-4974-b188-2285218acd1a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 0013z00002edbtlaac
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "7ca2a215-f328-4822-895f-4d13156421e8" agent-api.atera.com/production 443 or8ixli90mf "identified" 0013z00002edbtlaac
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "96b12e79-6bed-4b62-b87d-6860669b7bcc" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 0013z00002edbtlaac
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "d85a67d4-12c7-47c2-9a5a-d8a5311da246" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 0013z00002edbtlaac
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "e32a6a23-e8d4-4e32-b68d-b03fd8f497a4" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 0013z00002edbtlaac
                                Source: 6cdf8b.msi.1.drBinary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
                                Source: 6cdf8b.msi.1.drBinary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150739C cpuid 35_2_00007FFDF150739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE0CD.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE39D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE39D.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE39D.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF6F7.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIF6F7.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1021.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1021.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1021.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF150CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,35_2_00007FFDF150CC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF15085D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,35_2_00007FFDF15085D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 20.2.AgentPackageAgentInformation.exe.24228f90000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.AgentPackageMonitoring.exe.19511510000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.AteraAgent.exe.25da9b70000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 33.0.AgentPackageSTRemote.exe.278c4620000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.24228670000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.0.AgentPackageMonitoring.exe.19511080000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000018.00000002.3058266535.0000019BB5444000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2850032441.00000278C4821000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923621881.0000025DAB86C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3058266535.0000019BB543E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2382135962.000001E7F2370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2045666683.00000242288C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2190585524.000001952AF77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2069210697.0000024AD707B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2172224977.0000019511170000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2935696263.00000278DD7D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E78006E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2173998714.0000019511512000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2047468417.0000024241840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2172506342.0000019511251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2045722726.0000024228935000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1924284253.0000025DC4033000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000000.2022046349.0000024228672000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E0244E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2069210697.0000024AD7040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923621881.0000025DAB7A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1922775108.0000025DA9C80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2328116682.000001E023B00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2850032441.00000278C482D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2855258449.00000278C5083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2172506342.00000195112FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923621881.0000025DAB7A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923621881.0000025DAB77C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2046686892.0000024229181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2190647233.000001952B175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2330427171.000001E023C20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2935696263.00000278DD80D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3104741258.0000019BCE7C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1924284253.0000025DC401D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2223066667.00007FFDF1699000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB6921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2191541804.000001952B2FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3109272217.0000019BCED66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2046686892.00000242291F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2328116682.000001E023B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E0244EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2380145583.000001E7F211E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2205414780.000001C5C146C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3104741258.0000019BCE796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2850032441.00000278C4805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E7803CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3104741258.0000019BCE80A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB692E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2045722726.000002422896E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923621881.0000025DAB779000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E7802A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2380145583.000001E7F20E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071640791.0000024AD7813000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1922878127.0000025DA9CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2328116682.000001E023B1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2205414780.000001C5C1460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB696A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2380145583.000001E7F216D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3060869735.0000019BB5B1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3058266535.0000019BB5400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E0244AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E7802F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2205875034.000001C5C1560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2855258449.00000278C510C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB690D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071640791.0000024AD7803000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E024517000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E024383000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E78029E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2362532887.00000028B39E5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2172506342.000001951121C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2172506342.000001951125C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3053597971.00000077A94F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071640791.0000024AD7791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2069210697.0000024AD7049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2834835376.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2069210697.0000024AD70C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E780387000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2172506342.000001951129A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1926114762.00007FFD9B314000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2328116682.000001E023B46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3058266535.0000019BB548D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071607928.0000024AD73F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB6641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3058027319.0000019BB52C0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3104741258.0000019BCE7B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923621881.0000025DAB7AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000000.2105794495.00000278C4622000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2386760973.000001E7F3692000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB66CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923621881.0000025DAB822000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB66BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2833474219.00000000004C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3104741258.0000019BCE780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2850032441.00000278C48C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2045722726.00000242288E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2391825905.000001E7F3782000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2174197330.0000019511530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB692A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000003.2082753921.000001C5C1580000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2328116682.000001E023B3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB5C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3104741258.0000019BCE838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2328116682.000001E023B84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3109272217.0000019BCED6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2191385824.000001952B186000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2935696263.00000278DD7A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2197804094.000002ED7D4D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E024589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E024453000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2172506342.0000019511210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.1884188018.0000025DA9B72000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2345160443.000001E03CB80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3060664134.0000019BB5600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2384334256.000001E7F32C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E0244B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1922964501.0000025DA9CE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2046686892.0000024229203000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E78042A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2046334309.0000024228F92000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2185856294.000001952A2D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923212837.0000025DA9D76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB5C88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1923621881.0000025DAB6F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2045722726.0000024228920000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1922878127.0000025DA9CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2347851397.000001E03CC80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2855258449.00000278C4F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1924960432.0000025DC4240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3108402911.0000019BCE930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2381864614.000001E7F21E0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2852316069.00000278C4A30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2205414780.000001C5C1483000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2850032441.00000278C486D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB6854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3109272217.0000019BCED53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1922964501.0000025DA9CED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB657F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1925310996.0000025DC43AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3060869735.0000019BB5BFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2176320463.0000019511C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E780001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2850032441.00000278C47E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E780340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3060869735.0000019BB5B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2176320463.00000195121BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001B.00000002.2331883603.000001E0242F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6196, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3264, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6484, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 2288, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7140, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7272, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7660, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7768, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7824, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7980, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 8112, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 8180, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 7092, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 4108, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: SplashtopStreamer.exe PID: 1016, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI1021.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFC4F3156EFB829EDF.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF87B49D07C30BE433.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075552_000_dotnet_runtime_6.0.35_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF0B1F83CB212A9075.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF761CCED7FD57F589.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD8DCFFD735C6E6BF.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIF6F7.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF34C6AB6AD4D1677B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD7CE1361C4B2B636.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\6cdf86.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIF90B.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIE39D.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF9E3106EBFEFF2114.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDF154B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,35_2_00007FFDF154B9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		541
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		31
                                Windows Service                                		1
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		31
                                Windows Service                                		112
                                Process Injection                                		4
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts1
                                Scheduled Task/Job                                		1
                                Scheduled Task/Job                                		1
                                Scheduled Task/Job                                		1
                                Software Packing                                		NTDS155
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		1
                                Registry Run Keys / Startup Folder                                		1
                                Registry Run Keys / Startup Folder                                		1
                                Timestomp                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                DLL Side-Loading                                		Cached Domain Credentials681
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                File Deletion                                		DCSync2
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job123
                                Masquerading                                		Proc Filesystem361
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                                Modify Registry                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron361
                                Virtualization/Sandbox Evasion                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd112
                                Process Injection                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                Rundll32                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1552154 Sample: Le55bnMCON.msi Startdate: 08/11/2024 Architecture: WINDOWS Score: 100 145 Multi AV Scanner detection for dropped file 2->145 147 Multi AV Scanner detection for submitted file 2->147 149 Yara detected AteraAgent 2->149 151 7 other signatures 2->151 9 msiexec.exe 501 769 2->9         started        13 AteraAgent.exe 2->13         started        16 AteraAgent.exe 2->16         started        18 3 other processes 2->18 process3 dnsIp4 93 C:\Windows\Installer\...\ARPPRODUCTICON.exe, PE32 9->93 dropped 95 C:\Windows\Installer\MSIF6F7.tmp, PE32 9->95 dropped 97 C:\Windows\Installer\MSIE39D.tmp, PE32 9->97 dropped 105 393 other files (341 malicious) 9->105 dropped 163 Sample is not signed and drops a device driver 9->163 20 msiexec.exe 9->20         started        24 msiexec.exe 9->24         started        26 AteraAgent.exe 9->26         started        29 msiexec.exe 9->29         started        137 18.66.112.125 MIT-GATEWAYSUS United States 13->137 139 93.184.221.240 EDGECASTUS European Union 13->139 99 C:\...\System.Management.dll, PE32 13->99 dropped 101 C:\...101ewtonsoft.Json.dll, PE32 13->101 dropped 103 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 13->103 dropped 107 278 other malicious files 13->107 dropped 165 Installs Task Scheduler Managed Wrapper 13->165 31 sc.exe 13->31         started        141 18.66.112.10 MIT-GATEWAYSUS United States 16->141 143 35.157.63.228 AMAZON-02US United States 16->143 109 31 other malicious files 16->109 dropped 167 Creates files in the system32 config directory 16->167 169 Reads the Security eventlog 16->169 171 Reads the System eventlog 16->171 33 AgentPackageSTRemote.exe 16->33         started        35 AgentPackageAgentInformation.exe 16->35         started        37 AgentPackageMonitoring.exe 16->37         started        39 3 other processes 16->39 file5 signatures6 process7 dnsIp8 79 C:\...\SRCredentialProvider.dll (copy), PE32+ 20->79 dropped 81 C:\Windows\Temp\...\_isres_0x0409.dll, PE32 20->81 dropped 83 C:\Windows\Temp\...\_isA7F2.exe, PE32+ 20->83 dropped 91 14 other malicious files 20->91 dropped 153 Enables network access during safeboot for specific services 20->153 50 11 other processes 20->50 52 4 other processes 24->52 129 192.229.221.95 EDGECASTUS United States 26->129 131 2.22.50.131 AKAMAI-ASN1EU European Union 26->131 85 C:\Windows\System32\InstallUtil.InstallLog, Unicode 26->85 dropped 87 C:\...\AteraAgent.InstallLog, Unicode 26->87 dropped 155 Reads the Security eventlog 26->155 157 Reads the System eventlog 26->157 56 2 other processes 29->56 41 conhost.exe 31->41         started        133 52.223.39.232 AMAZONEXPANSIONGB United States 33->133 135 13.35.58.57 AMAZON-02US United States 33->135 89 C:\Windows\Temp\SplashtopStreamer.exe, PE32 33->89 dropped 159 Creates files in the system32 config directory 33->159 43 SplashtopStreamer.exe 33->43         started        46 conhost.exe 33->46         started        58 2 other processes 35->58 48 conhost.exe 37->48         started        60 4 other processes 39->60 file9 signatures10 process11 dnsIp12 111 C:\Windows\Temp\unpack\PreVerCheck.exe, PE32 43->111 dropped 62 PreVerCheck.exe 43->62         started        65 conhost.exe 50->65         started        127 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 52->127 113 C:\...\AlphaControlAgentInstallation.dll, PE32 52->113 dropped 115 C:\...\AlphaControlAgentInstallation.dll, PE32 52->115 dropped 117 C:\...\AlphaControlAgentInstallation.dll, PE32 52->117 dropped 119 13 other files (1 malicious) 52->119 dropped 161 System process connects to network (likely due to code injection or exploit) 52->161 67 conhost.exe 56->67         started        69 net1.exe 56->69         started        71 conhost.exe 56->71         started        73 conhost.exe 60->73         started        75 cscript.exe 60->75         started        file13 signatures14 process15 file16 121 C:\Windows\Temp\unpack\libssl-3.dll, PE32 62->121 dropped 123 C:\Windows\Temp\unpack\libcrypto-3.dll, PE32 62->123 dropped 125 C:\Windows\Temp\unpack\SRSocketCtrl.dll, PE32 62->125 dropped 77 msiexec.exe 62->77         started        process17

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                Le55bnMCON.msi26%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe21%ReversingLabsWin32.Trojan.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                  https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                    http://schemas.datacontract.orgAteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                        http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://agent-api.atera.com/Production/Agent/GetCommands)AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6932000.00000004.00000800.00020000.00000000.sdmpfalse
                                              https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                https://nlog-project.org/AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189398737.000001952A588000.00000002.00000001.01000000.00000023.sdmpfalse
                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMoniAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://aka.ms/dotnet/app-launch-failedAteraAgent.exe, 00000018.00000002.3109272217.0000019BCED66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        http://dl.google.com/googletalk/googletalk-setup.exeAteraAgent.exe, 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2022046349.0000024228672000.00000002.00000001.01000000.00000016.sdmpfalse
                                                          http://repository.swisssign.com/0AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.zAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemo0AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000021.00000000.2105794495.00000278C4622000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      http://wixtoolset.orgrundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, Le55bnMCON.msi, 6cdf87.msi.1.drfalse
                                                                        https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000004.00000002.1861868953.0000000004AC6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004426000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            http://acontrol.atera.com/AteraAgent.exe, 0000000C.00000000.1884188018.0000025DA9B72000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780001000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.9/AgentPackageAgentInformationAteraAgent.exe, 0000000D.00000002.2364755560.000001E780340000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78019C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046686892.0000024229203000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0242F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        http://www.flexerasoftware.com06cdf8b.msi.1.drfalse
                                                                                          https://agent-api.atera.com/Production/Agent/thresholds/fbcf2d79-fde9-446f-9db8-b915db64fdfbAgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              https://www.anf.es/address/)1(0&AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                http://my.splashtop.comAgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C505D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    https://ps.ateHzAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziphAteraAgent.exe, 0000000D.00000002.2364755560.000001E7803CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://www.anf.es/AC/ANFServerCA.crl0AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            https://download.splashtop.comAgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C5083000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              https://aka.ms/dotnet/app-launch-failed&gui=trueShowingAteraAgent.exe, 00000018.00000002.3109272217.0000019BCED66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zipAteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    https://agent-api.atera.comrundll32.exe, 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046686892.0000024229203000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66BC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244EB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244B9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0242F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189398737.000001952A588000.00000002.00000001.01000000.00000023.sdmpfalse
                                                                                                                        https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8AteraAgent.exe, 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          http://www.w3.ohAteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/26.0/AgentPackageProgramManagemeAteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpfalse
                                                                                                                                  https://agent-api.atera.com/Production/Agent/GetRecurringPackagesiChannelSubscribeRequestAteraAgent.exe, 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000023.00000002.2188718103.000001952A4B2000.00000002.00000001.01000000.00000023.sdmpfalse
                                                                                                                                      https://ps.atera.com/aAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000023.00000002.2187898705.000001952A442000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://ps.pndsn.com/v2/presence/sub_kAteraAgent.exe, 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              https://github.com/dahall/taskschedulerMicrosoft.Win32.TaskScheduler.dll0.24.drfalse
                                                                                                                                                http://www.datev.de/zertifikat-policy-int0AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F32C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  https://my.splashtop.comAgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C5058000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/27.6/AgentPackageSystemTools.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        https://system.data.sqlite.org/XAgentPackageMonitoring.exe, 00000023.00000002.2188329818.000001952A4A4000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                                          https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000023.00000002.2175576254.0000019511AF2000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                                              https://agent-api.atera.com/Production/Agent/recurringCommandResultAgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244EB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E0244B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                https://aka.ms/dotnet-core-applaunch?AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://github.com/dotnet/runtimeSystem.IO.FileSystem.Primitives.dll.1.dr, System.IO.IsolatedStorage.dll.1.dr, System.Security.Cryptography.Cng.dll.1.dr, System.Reflection.Emit.dll.1.drfalse
                                                                                                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=deb5ed17-32ce-44ff-8808-09cab14ce0c0AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      http://ocsp.dgiAteraAgent.exe, 00000018.00000002.3109272217.0000019BCED53000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780387000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://agent-api.atera.comh2AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exeAteraAgent.exe, 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000000.2105794495.00000278C4622000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip?TV4U36qfnAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/23.4/AGENTPACKAGESTREMOTE.ZIPAteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://agent-api.PAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E024589000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      http://www.w3.oAteraAgent.exe, 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000003.00000003.1809738097.0000000004A49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1819796804.0000000004518000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1864689254.000000000469A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1928739816.000000000422B000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2046463798.0000024229082000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2930180120.00000278DD6F0000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2189556505.000001952A592000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                                                                                          http://www.anf.es/AC/RC/ocsp0cAteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB65EA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5C7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E14000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=76f279a6-9657-4bc1-af29-5ad914073c8bAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6667000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zipAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=3a251339-3e59-4c6b-ab71-e6bac82c5bc4AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://ps.pndsnAteraAgent.exe, 0000000D.00000002.2364755560.000001E78054F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB667D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6667000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66F3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6683000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6641000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB66E9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6854000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        http://www.datev.de/zertifikat-policy-std0AteraAgent.exe, 0000000D.00000002.2384334256.000001E7F32C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://www.sqlite.org/copyright.html2AgentPackageMonitoring.exe, 00000023.00000002.2223243014.00007FFDF16A4000.00000002.00000001.01000000.0000001C.sdmpfalse
                                                                                                                                                                                                            https://ps.pndsn.com/v2/presence/subAteraAgent.exe, 00000018.00000002.3063168617.0000019BB6641000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.6/AgentPackageSystemTools.zipAteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/fbcf2d79AteraAgent.exe, 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://agent-api.atera.com/Production/Agent/guiCommAgentPackageAgentInformation.exe, 0000001B.00000002.2331883603.000001E024589000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://www.openssl.org/HPreVerCheck.exe, 00000027.00000000.2271126671.0000000000645000.00000002.00000001.01000000.00000026.sdmpfalse
                                                                                                                                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5CD5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip?TV4U36AteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIPAteraAgent.exe, 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://agent-api.atera.com/Production/Agent/TraceAteraAgent.exe, 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.zAteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                https://system.data.sqlite.org/AgentPackageMonitoring.exe, 00000023.00000002.2187898705.000001952A442000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                                                                                                                  http://www.datev.de/zertifikat-policy-bt0AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.0/AgentPackageProgramManageAteraAgent.exe, 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      http://www.acabogacia.org/doc0AteraAgent.exe, 0000000D.00000002.2391825905.000001E7F383E000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        13.35.58.57
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        40.119.152.241
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                        2.22.50.131
                                                                                                                                                                                                                                        		unknownEuropean Union
                                                                                                                                                                                                                                        		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                                                        18.66.112.125
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		3MIT-GATEWAYSUSfalse
                                                                                                                                                                                                                                        93.184.221.240
                                                                                                                                                                                                                                        		unknownEuropean Union
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        35.157.63.228
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        192.229.221.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        18.66.112.10
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		3MIT-GATEWAYSUSfalse
                                                                                                                                                                                                                                        52.223.39.232
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8987AMAZONEXPANSIONGBfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                        Analysis ID:1552154
                                                                                                                                                                                                                                        Start date and time:2024-11-08 13:53:28 +01:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 13m 48s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:68
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                                        Sample name:Le55bnMCON.msi
                                                                                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                                                                                        Original Sample Name:b8788ba7d7d7f8fce00f8446b778b9f9b9852e4ec2f3766d6e32c68b50950899.msi
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winMSI@195/1021@0/9
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 16.7%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 59%
                                                                                                                                                                                                                                        • Number of executed functions: 423
                                                                                                                                                                                                                                        • Number of non-executed functions: 3
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7660 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7768 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 7092 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 2288 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7140 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7824 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 3264 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 6196 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 6484 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7272 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                        • VT rate limit hit for: Le55bnMCON.msi

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        07:54:38API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                        07:54:42API Interceptor212859x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                        07:54:56API Interceptor41x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                        07:55:06API Interceptor16x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                        07:55:06API Interceptor2952x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                        07:55:24API Interceptor2x Sleep call for process: msiexec.exe modified
                                                                                                                                                                                                                                        07:55:55API Interceptor9x Sleep call for process: SplashtopStreamer.exe modified
                                                                                                                                                                                                                                        12:55:35Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                                                                                                                                                                                                                        12:55:54AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {96ec02bb-b5fa-4892-a305-c6128466beda} "C:\ProgramData\Package Cache\{96ec02bb-b5fa-4892-a305-c6128466beda}\dotnet-runtime-6.0.35-win-x64.exe" /burn.runonce
                                                                                                                                                                                                                                        12:56:49Task SchedulerRun new task: AteraAgentServiceWatchdog path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe s>eyJBZ2VudElkIjoiZmJjZjJkNzktZmRlOS00NDZmLTlkYjgtYjkxNWRiNjRmZGZiIiwiQ29tbWFuZElkIjoiNGViOGIzYWUtM2ExZS00YzdiLWE3ZjMtODg0ZGIyNzIxODk4IiwiQWNjb3VudElkIjoiMDAxM3owMDAwMmVEYnRsQUFDIiwiQWdlbnRBcGlIb3N0IjoiYWdlbnQtYXBpLmF0ZXJhLmNvbS9Qcm9kdWN0aW9uIiwiQXJndW1lbnRzIjoie1x1MDAyMkNvbW1hbmROYW1lXHUwMDIyOlx1MDAyMmhlYWx0aGNoZWNrXHUwMDIyfSIsIkFnZW50RGlyZWN0b3J5IjoiIn0=

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        13.35.58.57gaYiWz75kv.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                          setup_north_west_arctic_borrough.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                            SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                              40.119.152.241z8yxMFhhZI.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                kTbv9ZA2x0.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    gaYiWz75kv.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      e8gTT6OTKZ.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                        Atualizador_Fiscal_NFe.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                          laudovisitabombeirosPdf.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                            LaudoBombeirosPDF.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                              SecuriteInfo.com.Program.RemoteAdminNET.1.4447.28224.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                Adobeflash.msiGet hashmaliciousAteraAgentBrowse

                                                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                  AMAZON-02USz8yxMFhhZI.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 13.35.58.31
                                                                                                                                                                                                                                                                  xX1k6Ghe8s.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                  • 108.131.187.52
                                                                                                                                                                                                                                                                  wrgmhT3TP7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                  • 13.236.43.141
                                                                                                                                                                                                                                                                  kTbv9ZA2x0.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 13.35.58.31
                                                                                                                                                                                                                                                                  IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 13.35.58.89
                                                                                                                                                                                                                                                                  gaYiWz75kv.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 35.157.63.228
                                                                                                                                                                                                                                                                  SecuriteInfo.com.Trojan.Linux.GenericKD.28459.8905.27219.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                  • 34.243.160.129
                                                                                                                                                                                                                                                                  e8gTT6OTKZ.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 35.157.63.227
                                                                                                                                                                                                                                                                  EFT Remittance_CQDM.htmlGet hashmaliciousMamba2FABrowse
                                                                                                                                                                                                                                                                  • 18.245.31.5
                                                                                                                                                                                                                                                                  sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                  • 108.133.220.122
                                                                                                                                                                                                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSz8yxMFhhZI.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 40.119.152.241
                                                                                                                                                                                                                                                                  xX1k6Ghe8s.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                  • 20.83.189.171
                                                                                                                                                                                                                                                                  kTbv9ZA2x0.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 40.119.152.241
                                                                                                                                                                                                                                                                  IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 40.119.152.241
                                                                                                                                                                                                                                                                  gaYiWz75kv.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 20.60.197.1
                                                                                                                                                                                                                                                                  Play-Audio_Vmail_Ach Statement Credi....htmlGet hashmaliciousHtmlDropperBrowse
                                                                                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                                                                                  phish_alert_sp2_2.0.0.0.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                                                                                  e8gTT6OTKZ.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  • 40.119.152.241
                                                                                                                                                                                                                                                                  EFT Remittance_CQDM.htmlGet hashmaliciousMamba2FABrowse
                                                                                                                                                                                                                                                                  • 13.107.246.45
                                                                                                                                                                                                                                                                  sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                  • 52.255.11.119

                                                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                                                                  C:\Config.Msi\6cdf86.rbs

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8813
                                                                                                                                                                                                                                                                  Entropy (8bit):5.661770351434747
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:Bjoxz1ccbTOOeMead61E7r6IHfE7r6kAVv70HVotBVeZEmzmYpLAV77KXpY92r:B8D2RwpwtiB2iW
                                                                                                                                                                                                                                                                  MD5:048FDEF603D29873AE02CA59B942622C
                                                                                                                                                                                                                                                                  SHA1:00AF0307A80D9CE16B61463C63FAE22330E5CD53
                                                                                                                                                                                                                                                                  SHA-256:07F32EFA896950ADEAA12B408152E90B8F6F7E8E6E4564B846163D81045058DC
                                                                                                                                                                                                                                                                  SHA-512:27FEF6F77EFDDAE2569A5062C7771F809EC590550E7E3B9FD44BC130B13A99781875D45094BE0D97D5D5EE61DAB714F972850E1808C2344FFF1131443D6FF440
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\6cdf86.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..Le55bnMCON.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{38F01010-E31

                                                                                                                                                                                                                                                                  C:\Config.Msi\6cdf8a.rbs

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):76037
                                                                                                                                                                                                                                                                  Entropy (8bit):5.733715983103875
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:0PXeqjCyEgH2bQzxW5wM/wt/JBQKwHhrRUL2l+Jq4599oefeIubJZrQ1vMF8Ekdc:BSs
                                                                                                                                                                                                                                                                  MD5:F64F291E5C1DA64C9BB5D345F54E7815
                                                                                                                                                                                                                                                                  SHA1:9924F7EE874E398FFCAD2FF45990FE11767821C6
                                                                                                                                                                                                                                                                  SHA-256:DCDAA3F590399CF16665D08064352183831EC91E753D5241AB1536565EB5B452
                                                                                                                                                                                                                                                                  SHA-512:E8F1822098F31BFBBEC843E41BC6B03BE14823CA33949039B7DE05E617B7F0EF30F4497FE768F1EAF2F84017AB601E70B50366B2FF802A1D091AC26FC1001672
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3D8827C3-3F73-4AD7-9420-7CA93653C8F2}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{61B538AB-B209-C01B-F95C-B0A0531054D2}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{3742F778-8BAC-9729-A5BE-712DA9BEB95A}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{ADBB7064-411F-E593-D901-EACB3BA8154E}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{06653204-4010-8C69-AD0A-982273468010}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{76FB8673-364C-25A7-DEC2-3C43D0343A02}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{944490A2-222A-67EA-5532-3CEF12

                                                                                                                                                                                                                                                                  C:\Config.Msi\6cdf8c.rbs

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):464
                                                                                                                                                                                                                                                                  Entropy (8bit):5.2173150850606
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:Ea3LMbA/e/YeVugrUucQBak5cSvpL7lgYKq9uSgmll/Vnpm/nsuRYaRsjXwpoh7i:EgGA/OBjUcBn97lghq5j//a/fNl+9W
                                                                                                                                                                                                                                                                  MD5:56EAC7928E63DA28377D89AEA646C188
                                                                                                                                                                                                                                                                  SHA1:56E9A1281D2A0FBEECFE5221B1ADA2A770277F54
                                                                                                                                                                                                                                                                  SHA-256:E51FE0081C46E209770FE67A0F0A6DC83D34D1A70C3D0DC0225CC06F15CC7E9C
                                                                                                                                                                                                                                                                  SHA-512:D743349D36E5D07A94E7B07434D9E4583B1016DFF91DDE13529E7DA91D646CFE57A2AB90F38BBF44BB77326F3EE36BFDF8D1EA34DAEDE728532B5A7C94B96171
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....Util_UpdateSetting....Util_InstSrvAndDrv....Util_InstDone...@.....@.....@....

                                                                                                                                                                                                                                                                  C:\Config.Msi\6cdf8f.rbs

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):39267
                                                                                                                                                                                                                                                                  Entropy (8bit):5.4769986177526695
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:sjL9BRzVH/GV1a67QzE/DBFIAL1UN7TbBSb0qvJWj28erEReN4CVcaf1QeLHaH8V:mL9BRzVH/GV1a67QzE/DBFIAL1UN7Tb1
                                                                                                                                                                                                                                                                  MD5:564405309955B3835A0AAFABD40E59DF
                                                                                                                                                                                                                                                                  SHA1:EF377F11D4DB3707E89EFF17EDBC7B4F6E26C0F2
                                                                                                                                                                                                                                                                  SHA-256:E133270064F77A87EC4C9E5DE90020DE7A2FEBDEAE1AE4F4CE4D4EAC41BAB5C2
                                                                                                                                                                                                                                                                  SHA-512:D1110412B5BDA4F44F4D58548B95F9F036CA2E6F72D6788C92F38B6926D801E326764C701F563B77B5BEEF78C4F948DB4308C612A198ECD29F48CB41EE3FA476
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...@IXOS.@.....@.?hY.@.....@.....@.....@.....@.....@......&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}%.Microsoft .NET Runtime - 6.0.35 (x64)!.dotnet-runtime-6.0.35-win-x64.msi.@.....@.S.0.@.....@........&.{76657AF8-AF4E-4FA9-9A39-80AC267D9B11}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.35 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{BCDE6883-BAB7-54AB-B504-D8C3F75FDB2A}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{F621578B-E081-5FC4-B0C5-A151B816DC51}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{B0658A77-9697-57AB-AEF0-C49F5788A264}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{120A93F0-81ED-50CA-849C-D3C267F0E1B9}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{B6486357-3BB8-567F-A403-76642301DF0F}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}.@......&.{7DD77B54-D0C8-5E10-9C80-EE381420C680}&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):753
                                                                                                                                                                                                                                                                  Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                                                  MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                                                  SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                                                  SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                                                  SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):7466
                                                                                                                                                                                                                                                                  Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                                                  MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                                                  SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                                                  SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                                                  SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):145968
                                                                                                                                                                                                                                                                  Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                  MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                  SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                  SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                  SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1442
                                                                                                                                                                                                                                                                  Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                  MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                  SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                  SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                  SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3318832
                                                                                                                                                                                                                                                                  Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                  MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                  SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                  SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                  SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):215088
                                                                                                                                                                                                                                                                  Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                  MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                  SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                  SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                  SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710192
                                                                                                                                                                                                                                                                  Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                  MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                  SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                  SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                  SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1967254
                                                                                                                                                                                                                                                                  Entropy (8bit):7.99899464874092
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:49152:GIvTD8ZtXieZ2TfM38pgpbNQRcMzGExh+26D4o0Ydyg:XTD8ZweZbMy5QFGExw9D4oVH
                                                                                                                                                                                                                                                                  MD5:8DE5A7A19D882820893D8B911C1710FB
                                                                                                                                                                                                                                                                  SHA1:95CDF5855BC5E454C8944952697AB142F77124F7
                                                                                                                                                                                                                                                                  SHA-256:2BEE5835A45E74F454648C57FEF0D6FCA40D64308F813CB759CCAB1B2AB576A9
                                                                                                                                                                                                                                                                  SHA-512:3056784D9A1AE5A8A5DD92D7ED6AD1311E863E41A6CA5971AAC5D626DA1338DA44D0828448AA9AB1F9EDB88AFBAAACD57660C4C102812BC94240654B8D5237A7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK.........BfY................Agent.Package.Watchdog/PK.........AfY.#.L>.......7...Agent.Package.Watchdog/Agent.Package.Watchdog.deps.jsonr...+v..$...01%...{.r`..P....F|..A...;.[...j....u.....z.).E..q...s*...D...4.....Es.^+C.......P.3b.......o..i_&#..?..D..}...~&L....D.C.y......dm...A....6..:.s..^L.I6{.......c)2s.<...hU.n.(#.7.15..q...o..j..n..=.g{.mN.....jH..5......N$......Q_..?VY/.[Dk..V..56.V.C,.....x..6...Z2b...t.....%..u..gR.3...{..<:.z..v..+c6A2.f.!+Sa..p0;^..E.]............2....1..@p.6.!..|~.}.vj........-...hB.......&R.i.=..G.....g.A..~f.. 8..F......*..j.....O.....b...6..%9.x.Q.z_K@%...[.k1a.w4U...x.V.ae..E%`B(....."oz!...h..+...XP.i...B.^...i..A.......(I.1....O...d.O.yt..=e%O.s........YUC.B=m..g]....x\\8...0k*P.e~p...d.....e...`..2.6.<2`.s9.f.F......z>8.L.i....y..Sj3.`.].F.......e...Fb.....U.A]..8......*...]R[O....... \.....X`..2...#](.M...(..k?...L%Y.&....M..=&.......t.c`[..&..h.OV./.b#.>..T...!td....Z......d[,........^$...<.P3.;..=..m

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.deps.json

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):39359
                                                                                                                                                                                                                                                                  Entropy (8bit):5.001107788783311
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:YT5DUarXaaec21v5Oc55MNXP4RBTEQ88jnfA:YNDUarXaaecC5Oc55mXP4TTEuA
                                                                                                                                                                                                                                                                  MD5:D4D3077248D2EC265329DA2BB4EB1409
                                                                                                                                                                                                                                                                  SHA1:C4118CD8CC0C738D212BD57B262C83652BD06582
                                                                                                                                                                                                                                                                  SHA-256:6E5DCE5A789BB451AF3B5136C9832DA6A621A92EAA151D1BA699B9C0FB6CFB9E
                                                                                                                                                                                                                                                                  SHA-512:AC479A172E4F0E90A096B13D5F785EC3184F214000B9578D835E9A4FBF7BA64F3C2D0F679C6B0F325B9A34623E8548CBD4B8C1873A4DF1CAFECC94AAD343F7BD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Watchdog/1.7": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.2.4",.. "Atera.Agent.Package.Tools": "1.0.22",.. "System.ServiceProcess.ServiceController": "8.0.0",.. "TaskScheduler": "2.10.1".. },.. "runtime": {.. "Agent.Package.Watchdog.dll": {}.. }.. },.. "Atera.Agent.Package.Infrastructure/1.2.4": {.. "dependencies": {.. "Microsoft.Extensions.Hosting": "7.0.1",.. "Newtonsoft.Json": "13.0.3",.. "Polly": "7.2.3",.. "Serilog.Extensions.Hosting": "5.0.1",.. "Serilog.Sinks.File": "5.0.0".. },.. "runtime": {.. "lib/net6.0/Atera.Agent.Package.Infrastructure.dll": {.. "assemblyVersion": "1.2.4.0",.. "fileVe

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):35408
                                                                                                                                                                                                                                                                  Entropy (8bit):6.4700416722695895
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:i0uXcA8f/rEacom1OiYW32L0k8pJsjmd+uE8aNmHCiYVGx5mNyb8E9VF6IYijSJV:iDXcA8HBcomwxW3Rk3C+udBuEpYi60Y
                                                                                                                                                                                                                                                                  MD5:982E427EAFC97BD0044FD50745B72A6B
                                                                                                                                                                                                                                                                  SHA1:978C94A813E0931D62A28A8D40BF3F19CE504029
                                                                                                                                                                                                                                                                  SHA-256:9590664E74B2A011504764572E4E7DA12758415167958FE512E98CA3278F2AEC
                                                                                                                                                                                                                                                                  SHA-512:25461E9A3BC9B7D01FC6EC19F05AB5B313C81B5A3ED015F7A95DC7B493EDED733EEF181C2CDB840F9CC8AC497FCEB14D857825AB4EB55EE4138EB8A12CC6A352
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..X...........w... ........@.. ...............................H....`.................................4w..O....................b..P(...........w............................................... ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B................hw......H........2..<D............................................................{....*..{....*..{....*..{....*..{....*..{....*..(......}......}......}.......}.......}.......}....*....0...........u.......;.....9....(.....{.....{....o....,w(.....{.....{....o....,_( ....{.....{....o!...,G("....{.....{....o#...,/($....{.....{....o%...,.(&....{.....{....o'...*.*.*..0.......... ...9 )UU.Z(.....{....o(...X )UU.Z(.....{....o)...X )UU.Z( ....{....o*...X )UU.Z("....{....o+...X )UU.Z($....{..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):161360
                                                                                                                                                                                                                                                                  Entropy (8bit):6.243597431749339
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:I5vnr5Tbx829UOeKnn2LFzZBp13u36wKp4CULCXodwpz:IBKjK2LFzZNfJULq7z
                                                                                                                                                                                                                                                                  MD5:242D415E238789FBC57C5AC7E8CA5D02
                                                                                                                                                                                                                                                                  SHA1:09C1E25E035BE67C9FBFA23B336E26BFD2C76D04
                                                                                                                                                                                                                                                                  SHA-256:7F3DED5BF167553A5A09CA8A9D80A451EB71CCECC043BDA1DD8080A2CBE35FA2
                                                                                                                                                                                                                                                                  SHA-512:AC55D401951ECF0112051DB033CC9014E824AB6A5ED9EA129A8793408D9BF2446CB3C15711E59A8577E0F60D858A4639E99E38D6232315F0F39DF2C40217EA40
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.J.^.J.^.J.+.K.^.J.+.K.^.J.+.K.^.J.&GJ.^.J^,.K.^.J.^.J@^.JG+.K.^.JG+.K.^.JRich.^.J........................PE..d......f..........".................P@.........@..........................................`.................................................|(...............`..L....N..P(.......... ...T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data...X....@......."..............@....pdata..L....`.......,..............@..@_RDATA...............B..............@..@.reloc...............D..............@..B.rsrc................H..............@..@........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):13
                                                                                                                                                                                                                                                                  Entropy (8bit):3.7004397181410926
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhUmov:Wvov
                                                                                                                                                                                                                                                                  MD5:82F71B382E51CAE212E670779DBDF14E
                                                                                                                                                                                                                                                                  SHA1:C764F353E7B76236468649989C39EAEF3B97E701
                                                                                                                                                                                                                                                                  SHA-256:B57642302DEA3460BD78B6D9C62593939852C8526BA1779067D411E4DDA3DE17
                                                                                                                                                                                                                                                                  SHA-512:C5687A7DBBD4C714181F1ECFE1810A48109A4D9D4E3E90E88DA67FA3CB2736D5B3AA260B6680FA6A07FAA66CCB59DB05F9E8E345FD0DC50ABB63CB83DAAF0BFF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=1.7..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):288
                                                                                                                                                                                                                                                                  Entropy (8bit):4.622820819612829
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:3Hp/hdNyhAkv3Opo/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkv3OpJ5MeU1s5hex+K8Es2
                                                                                                                                                                                                                                                                  MD5:AA6C95679FBDCCE9930CD0588089344B
                                                                                                                                                                                                                                                                  SHA1:46294C035BFB927915DC089C67475610AF904E86
                                                                                                                                                                                                                                                                  SHA-256:8DA9CA03D76A3AA7BAB068EC578B441B3DC3BA7F9C94EE42203286B8E650F5B9
                                                                                                                                                                                                                                                                  SHA-512:91EC4C51D846AA4D881F02FFE051B4A6BDD7263574214186D7D8609AD4447E38D5547586C3B973FD6371622A6F574B767405074ABC96CFF40B7B3D7C8A9F7842
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "rollForward": "LatestMajor",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):53840
                                                                                                                                                                                                                                                                  Entropy (8bit):6.297907121687926
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:8dUSqld/oh93y+UR4ULL4L88EKNoo9sXQqthEpYi60QY:8d2P/phL4L8KGo9sgqtK76u
                                                                                                                                                                                                                                                                  MD5:1A5F29E19AFB572B5380F3CFDD935D6A
                                                                                                                                                                                                                                                                  SHA1:4A8432F57161886AAEC2D6761F5677BBE2A68F3E
                                                                                                                                                                                                                                                                  SHA-256:E0F10B6137F48219EF31700A6C668857306EDB6ABF8911853331C8A7B5E55A23
                                                                                                                                                                                                                                                                  SHA-512:638F5440A11ABA7D453D58B8158E6CA4A453297356D67E1CC59C693A32774D57BFC0BF1A407BDCD15BE892E8012B31C21577A60395E20EC0C3E88F804308B573
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.(..........." ..0.................. ........... ....................................`.................................X...O.......t...............P(..........P...T............................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B........................H........I...t............................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o ...X*..0...........r...p......%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....("...*..(#...*^.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):66640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.272861820966947
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:ZO4QNCMhTIDWo+hDbEicjIeoCtU1a1ZTG/2u2Xv2vFbanu5jEpYi60IKx:TQTIywi3eobgTG/2u2/wb0u5c766x
                                                                                                                                                                                                                                                                  MD5:8746122FDF7EFC772183F4DF2E91982A
                                                                                                                                                                                                                                                                  SHA1:AF4203A3D27A1E52FA9F34A050B6540514FD6435
                                                                                                                                                                                                                                                                  SHA-256:0BEE7E589E4CB7C5D46CE745385C3798DD5093984DD3C56AADE1E13BE6E53C42
                                                                                                                                                                                                                                                                  SHA-512:07E227E88B5E260919678C05DD21F650E39A180A0F952885998203931C118D7966BA1527316329E1A3BEA27EC9A415DED81F396354F55D8CABC8D1D5BABC3F73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.t..........." ..0.................. ........... .......................@......x.....`.....................................O.......................P(... ..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........_...............................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..T........(....(....,..(...+&.(...+&.(...+&(....,..(...+&.(...+&(....,..(...+&.(...+&.(...+&*.0...........(....&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&*".(...+&*".(...+&*".(...+&*.(....*.(....*..(....*j(.....%-.&~....(....o....*j(.....%-.&~....o ...(!...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):186448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.958192575536949
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:4hOh6zHpz7YSkfd6kUYm4wlb6QAGcbLQpgjOHopZb7UsUDfAbmn1F8mSowR:4hJ177+9jQAVph4sUDfAbm1F8lR
                                                                                                                                                                                                                                                                  MD5:D0EE12CB6A6293426BEE6D95908C38C8
                                                                                                                                                                                                                                                                  SHA1:7A1B43AF1ED6C0F6E0A4283AC217ECFFB75357A8
                                                                                                                                                                                                                                                                  SHA-256:EECB149B376D21EC9D6CE3C295DAAFD7FCE36476FCE42C786813DD00AE0D4657
                                                                                                                                                                                                                                                                  SHA-512:92797BB40A9C11A07DEB40F73750C041CF5B471E19BABFC182208D6B5B44B6E74C89AD174A911F27E9587CD69D72A6191DB096D38EE67FA38E2C4811861D65AB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............:.... ........... ....................... ......{.....`.....................................O.......$...............P(..............p............................................ ............... ..H............text...@.... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H.......0.................................................................(9...*^.(9..........%...}....*:.(9.....}....*:.(9.....}....*:.(9.....}....*....0..G.........(:...}q......}r......}s......}t......}p.....|q.....(...+..|q...(<...*..0..G.........(:...}x......}y......}z......}{......}w.....|x.....(...+..|x...(<...*..0..G.........(=...}c......}d......}e......}f......}b.....|c.....(...+..|c...(?...*..0..G.........(=...}k......}l......}m......}n......}j.....|k.....(...+..|k..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):29264
                                                                                                                                                                                                                                                                  Entropy (8bit):6.5196842118788085
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Y+q+2Vv/+usFlLVyKo/9ETG/DwzzRjz69M1ZVMdWs6NWskgNyb8E9VF6IYijSJIB:Y+EF/CvyKohrqn3EpYi60izJk
                                                                                                                                                                                                                                                                  MD5:7C01218E99981139C044B9D2820B887C
                                                                                                                                                                                                                                                                  SHA1:816284B70E7B7F3756F01C887378883481428081
                                                                                                                                                                                                                                                                  SHA-256:D07D4472E5E80A0EBDCF2870629DD12E5EECFDD79C8BBB932BE3104135F8C77C
                                                                                                                                                                                                                                                                  SHA-512:BFFD5DA9B2FE6B810FC5E5E567E085545665115101E4F48E3324FF4369E35D8D55D42F4E68138E5EBE371C097E88C3801D5FFF440A57AB9C1EF8522D12F31B12
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N............." ..0..>...........\... ...`....... ...............................;....`.................................{\..O....`...............J..P(..........d[..T............................................ ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............H..............@..B.................\......H........(...............W..X....Z........................................(&...*^.(&......8...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....**.-..(....*..s'...z.~....*...0..........(....,..*..(.....o(......&...*...................0...........(.......()...-..,..*.*.(....,.r...p......%...%...(*...*..(+...*.(....,.r...p......%...%...%...(*...*...(,...*.(....,!r...p......%...%...%...%...(*...*....(-...*..,&(....,..r...pr...p.(*...(....*..(/...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):42576
                                                                                                                                                                                                                                                                  Entropy (8bit):6.4046458780485525
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:oThLeDjUB16TI1CQ12cMcFgL/l5dgEpYi60JVY:oTvB71dEcME45dp765
                                                                                                                                                                                                                                                                  MD5:878C629AC2EEA81E6EAD65CD6A50F5A3
                                                                                                                                                                                                                                                                  SHA1:35B9F1D10DAFB3025AC0413D7AA0ED0CCCFFDE6A
                                                                                                                                                                                                                                                                  SHA-256:E17A324E6361ED45A6E48C799B8E33349BCF41242723795CFC312B9E8E697813
                                                                                                                                                                                                                                                                  SHA-512:8F9C02DFD0EE383A605FB2C57652E1580BAAB1DF0422D6E9ADD9D95CC8EC698CB346413B407E39D1AE61C67CF7CD95FD71D9C2569FC192BAEB67B821D1F94D03
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f............" ..0..t.............. ........... ...............................}....`.....................................O....................~..P(..........|...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H.......4:...L.............8.............................................(....*^.(.......A...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25168
                                                                                                                                                                                                                                                                  Entropy (8bit):6.668752308927327
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:JYEMITBweJkneGO3WKGW9anWsxNyb8E9VF6IYijSJIVxOStz5:lTBwa7dEtVEpYi60J
                                                                                                                                                                                                                                                                  MD5:A256A34CA45909D19DF819603DCB13AF
                                                                                                                                                                                                                                                                  SHA1:DCC715A30ED57D7EB32BBC8E1DF0CF83EE1C4CD0
                                                                                                                                                                                                                                                                  SHA-256:5D6A87A5C6DF09E73DF6DFBE73CE7E1D254E021FE536884C8596B32E5DB2B30A
                                                                                                                                                                                                                                                                  SHA-512:4967DF87A1287CB1F3C60711723F1A3E680C8EA79FDE1824A8780E17A7ED4E6C8F69D31BD9F76ABA01119115654B7C10E844FDE9C48851B37BD60D5030A64EBC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1............" ..0..0...........O... ...`....... ...............................p....`..................................O..O....`...............:..P(..........xN..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................O......H.......d&...#..........hI.......M........................................(....*^.(.......-...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):21584
                                                                                                                                                                                                                                                                  Entropy (8bit):6.714340321050238
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:w6jxRm3soGTeZeszQm31WUKeWstNyb8E9VF6IYijSJIVxen7fT:fj23spTeZposJEpYi60q
                                                                                                                                                                                                                                                                  MD5:D1A72EDF2377EF9E1AB99325DD033D40
                                                                                                                                                                                                                                                                  SHA1:E4B5F48A5B5E3424CCB2D127E7AD27D19893B483
                                                                                                                                                                                                                                                                  SHA-256:88DA1CB723C78E0FFF141534E2960F0738E4A023C3A5C1929BD66193ED22BA2C
                                                                                                                                                                                                                                                                  SHA-512:333812806E3B14ACCC0E3C5E86B815CEE893E3C67453B4B99FEF02855BC718DAE9FD3A2344B4B3D9BE09DDAA8B1B21F6F0F55E05DE6055A5E49FA0EF8331285C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............" ..0.."..........NA... ...`....... ....................................`..................................@..O....`...............,..P(...........?..T............................................ ............... ..H............text...T!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................/A......H.......x#......................T?........................................(....*^.(.......$...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.s....o....&.*V.s....%.o....o....&.*"..(...+*v.(.....~....}.....~....}....*..(......%-.&~....}......{....(....}....*2.(....(....*..(....o....r...p.{....r...p(....*..0..........(....s......o.....8.....o .......(!...t&.....o .

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):28240
                                                                                                                                                                                                                                                                  Entropy (8bit):6.599763231337247
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:tzp434gr92+liFe/5XjtCZ0UaFoSc43IXABPpBzWq66WsdNyb8E9VF6IYijSJIVF:1xk1/9jtGhScRwPpByoZEpYi608L2X
                                                                                                                                                                                                                                                                  MD5:8E2141AACC92F6096C9B6DA6BB5A0F33
                                                                                                                                                                                                                                                                  SHA1:2F702720C1C320434120E471B4329EE2143EA221
                                                                                                                                                                                                                                                                  SHA-256:E9F9CE42CB36557CAC26BD6D5907BB125C4678D15198700AB767E7144B0E0D18
                                                                                                                                                                                                                                                                  SHA-512:82E74FA668BCFAFDE8956DFECE6ED8B0DF744C506824ACCF53EC69236DB59DE23E1CA34F40358BFE39B06290C5029C0C611C7C8DBE7881C53BDDE9B72843D3FC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."..........." ..0..<...........[... ...`....... ...............................l....`..................................[..O....`...............F..P(..........tZ..T............................................ ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................[......H........(...,...........U..8....Y........................................(....*^.(.......3...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):27728
                                                                                                                                                                                                                                                                  Entropy (8bit):6.56193078447284
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:eXLAulT7JkcAoWovkT7jF6zOFz3Ge1l68mWka2WsGNyb8E9VF6IYijSJIVxlt0D6:aLAux7yUcT7jF6aYhSkOEpYi60J
                                                                                                                                                                                                                                                                  MD5:3F6FACE7733E23C3B705321A95612C3F
                                                                                                                                                                                                                                                                  SHA1:4093ABF818172BF36D0B174A616DDA022DE186AA
                                                                                                                                                                                                                                                                  SHA-256:4FFA4A98A3F5F33F727E6DAFEB252E0DFED4CEA13720346BB86B120E6E104451
                                                                                                                                                                                                                                                                  SHA-512:BB3F66CC0EDDCE7CE165278B1F6E9716BED87701250CEC9D086AB7E6F5FE5FBEE66BA7F60E2D3DD3C298E06F39E4D436D27B5008920DCE2BC5CCEA2EFAE4F85B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..:...........X... ...`....... ....................................`.................................SX..O....`..l............D..P(..........LW..T............................................ ............... ..H............text....8... ...:.................. ..`.rsrc...l....`.......<..............@..@.reloc...............B..............@..B.................X......H........(...)...........Q.......V........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*..............!....0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):26192
                                                                                                                                                                                                                                                                  Entropy (8bit):6.547720137603778
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:LMvnbB39p5YGTv9uuM1iFSF3yE1LlW9KCWsHNyb8E9VF6IYijSJIVxUaa:LKnbPplTv9uuLuVwrEpYi60k
                                                                                                                                                                                                                                                                  MD5:8BB0B459701F66BAE28E754B043963C3
                                                                                                                                                                                                                                                                  SHA1:E567DD2727E5BF3CF10A6C70891E63EE0247C41C
                                                                                                                                                                                                                                                                  SHA-256:895928EC2A2AF3A288444C6DA2FB1E5249F6054C553FE763CD6D73CCFECF3266
                                                                                                                                                                                                                                                                  SHA-512:E84CD6BC9A6DE8E00FC5FCFDB2A660AD293ED619AB0E114EF52C73520738307E23618CACC2D5E2ABB2755B5D58FF0D7A81817F5E8C34CB5E9707191C756B0192
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.<..........." ..0..4..........bR... ...`....... ...............................:....`..................................R..O....`...............>..P(...........P..T............................................ ............... ..H............text...h2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................AR......H........&..$$..........(J..P...xP........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):41040
                                                                                                                                                                                                                                                                  Entropy (8bit):6.409309688620981
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:m054t3ibki5TCk3jqEr0WBum6BEpYi60mh:mPtnUj/Lkm976jh
                                                                                                                                                                                                                                                                  MD5:373DB163844AD86DD52C7BDF925B69F1
                                                                                                                                                                                                                                                                  SHA1:3CF502E28A2517C712E39FF4910378411BBD2210
                                                                                                                                                                                                                                                                  SHA-256:D77DDA6EFD4B6F26F4D4227DA1C493DED85FB7118C05231E20E084A1A002C1B0
                                                                                                                                                                                                                                                                  SHA-512:91A6BE82CD1F74B603F422F00E5B51FDBC30D5DA9D34C1EE28F1C5BE188BD5D29BF6FF78DF58ADE9FEC117120A62DC1D3A55E347697F83739C29DFE3FD2DC5DF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...mq..........." ..0..n............... ........... ....................................`.................................a...O....................x..P(..........d...T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H.......p8...M...........................................................(#...*^.(#......A...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*:.(#.....}....**.-..(....*..s$...z.~....*...0..........(....,..*..(.....o%......&...*...................0...........(.......(&...-..,..*.*.(....,.r...p......%...%...('...*..((...*.(....,.r...p......%...%...%...('...*...()...*.(....,!r...p......%...%...%...%...('...*....(*...*..,&(....,..r...pr...p.('...(+...*..(,...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):45136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.257780262213066
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:Zq+RszBJV7CkN9YxrIvw2DLBjYAQP0+lyJ9PPYEpYi60si5y:Zq+SSkNNjdQc+cJNp76H9
                                                                                                                                                                                                                                                                  MD5:46178C89C18265DAC04BB569E8AF1B32
                                                                                                                                                                                                                                                                  SHA1:2BF62F8A2802EC573ACDCC1847126A4BCC9D57CE
                                                                                                                                                                                                                                                                  SHA-256:18B49A2C97AE0A0A7D127D99BA24BB6F6B7C05BF321AC4858CD5881908CD937C
                                                                                                                                                                                                                                                                  SHA-512:A007F1406921F7E7C9564EACDA5DD795BA5AF736B1A1BB24652D1C1105CC78C6BDB95391EB0AD0760FF651785EC2A1B953A52DEEE70E7A0A5D5E9DA9E14A7402
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r=..........." ..0..|............... ........... ....................................`....................................O.......................P(..............T............................................ ............... ..H............text....{... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......<=...U..........P....... .........................................(!...*^.(!......E...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):85072
                                                                                                                                                                                                                                                                  Entropy (8bit):6.265757695793194
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:0NNgvCsvGPrpqSMo4Z9M4IIWSYe2Kbj5u6fjQ+7PMMcmnJf76hF:0MCsvGPPed5ZfjQ+rBvJf2F
                                                                                                                                                                                                                                                                  MD5:8F3F02B670469A026ADC32C95EE8896B
                                                                                                                                                                                                                                                                  SHA1:313B177A7F8FE38642D0F8AC7C417B271DFA3B45
                                                                                                                                                                                                                                                                  SHA-256:EF4A952ECDCF4CCBACA859D30175F3DA67BACE8A2E457BA42A70F0F95286A3A2
                                                                                                                                                                                                                                                                  SHA-512:C91C7D357FBA0B90376F9FB695FC95E799FF9BAB7F55CF094666FF066EF88AE468CCBBE85A822D7DD6DA268F9533279CDF884B6D04AC4F6F1D9F2DB8C8AA87F0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.)..........." ..0.............28... ...@....... ..............................7T....`..................................7..O....@...............$..P(...`.......6..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H.......lj..............$%..0...T6........................................(&...*^.(&......s...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):23632
                                                                                                                                                                                                                                                                  Entropy (8bit):6.614672831994715
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:hVAko1Z0S/oj6ETt9EQMVSz3PMA2oWs6hWs6SNyb8E9VF6IYijSJIVxqJp3:h3m0SM3Tt90Pl73EpYi60aB
                                                                                                                                                                                                                                                                  MD5:EAC42065062A2A30472F196B5BA2BB5B
                                                                                                                                                                                                                                                                  SHA1:9FC9DBBA48A4C8924EABC0A9D4720E5036EB2233
                                                                                                                                                                                                                                                                  SHA-256:BFD8A444C655399ACDDF034778B162D8AEC18D896790FB7BB258D39C06C8C6AB
                                                                                                                                                                                                                                                                  SHA-512:8F0C4126A4C9AB728A21D5B436697500F1DCD184CAFA909EFB0A872453B2BF35D06B084DD5D2D92B0792FBF805596B6D2F6909CFE74FBD12C0D51D887E2605D9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............" ..0..(...........G... ...`....... .............................._.....`..................................G..O....`...............4..P(...........F..T............................................ ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............2..............@..B.................G......H........$...............B..@....F........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):45136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.428795819452189
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:UxddbVKFC/2DfTMFeuzpdUTVoIEu3GzN/EpYi60Mrzp:UNxxAYFeMpdURZEu3Su76fp
                                                                                                                                                                                                                                                                  MD5:F449AF52D166FCA3D1FA110D7BF18EE1
                                                                                                                                                                                                                                                                  SHA1:AF56A8B9598A37F1A9844252B2E5177CF47F2BE4
                                                                                                                                                                                                                                                                  SHA-256:BF4BBD45B08C2AAFA3CBCA51443A4C8951E5530ADE33FB12CD060DC332CAB177
                                                                                                                                                                                                                                                                  SHA-512:00D43EE6491FBABE14EEF7323A64D6DF9B4CA0338DF428EAF12D8F287AC16E0EDB1F08BE35A4D7720F50C3841FABE1BC107A1E3AEFCBDD49F40BF774E3F8E006
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s..........." ..0..~..........&.... ........... ...............................~....`....................................O.......p...............P(.............T............................................ ............... ..H............text...,|... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........;..(Y..................D.........................................("...*^.("......V...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z.~....*...0..........(....,..*..(.....o$......&...*.............. ....0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):47184
                                                                                                                                                                                                                                                                  Entropy (8bit):6.372186477195459
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:nkfEnkM0vRbJ05axPAONhO+JZIkp5ygv/MFyEpYi60xT:sEkMoRxtzIk3ygv/Mh76I
                                                                                                                                                                                                                                                                  MD5:450582CE35B3A02ED828AD928E0C455C
                                                                                                                                                                                                                                                                  SHA1:EE929973FA7577C9492D99B975FC09B1C6E65C15
                                                                                                                                                                                                                                                                  SHA-256:17B1A1197ADF44736D874FD2D95E33EE76BE38A97561ECDE37293B4011BD49D2
                                                                                                                                                                                                                                                                  SHA-512:4CC5CC3FB9016EE499E86B14F328DF078124C06B14E7FC731A10685DEF6D381BA7BFA968E1A31847A15FDA2F688558A7746B8486CA5E91BBA2376788D1D8BE95
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....*..........." ..0.................. ........... ...............................\....`.................................k...O.......H...............P(..........d...T............................................ ............... ..H............text....... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........D...X..............H............................................($...*^.($......@...%...}....*:.($.....}....*:.($.....}....*:.($.....}....*:.($.....}....**.-..(....*..s%...z.~....*...0..........(....,..*..(.....o&......&...*...................0...........(.......('...-..,..*.*.(....,.r...p......%...%...((...*..()...*.(....,.r...p......%...%...%...((...*...(*...*.(....,!r...p......%...%...%...%...((...*....(+...*..,&(....,..r...pr...p.((...(,...*..(-...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):33872
                                                                                                                                                                                                                                                                  Entropy (8bit):6.464430553650891
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:pup+kjcS4GAF7ItpTYbg8lAZnsboXMEpYi60n0y:pi+YoF7Itmbg82sbo176Ty
                                                                                                                                                                                                                                                                  MD5:70AD333E5F1E224644C269005FA2D71B
                                                                                                                                                                                                                                                                  SHA1:1E3FD3E37C5A4AF35E8AA9A88E0D4C6A48114EF3
                                                                                                                                                                                                                                                                  SHA-256:DCC3BACC8AE4841338386E897A28A3B20A1ADF7B95389152390F4A93DFD5BFDC
                                                                                                                                                                                                                                                                  SHA-512:8FAF111A9B55F2189A4DDC3060ED485036938E0681BF60CF2E8611CA698EB1A90DBACBB2D6729DEACBA4AB09324651B019D75638C28B035B919D41057805DBCC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kq..........." ..0..R...........p... ........... ....................................`.................................;p..O.......8............\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...8............T..............@..@.reloc...............Z..............@..B................op......H.......</..,<..........hk..H....n........................................(....*^.(.......I...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):66640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.301325813866528
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:myK1UG8tMAv0by0P/vGCnbr1hmiBPIIk+v76U:mykl8tla/nbr1kiBx3vP
                                                                                                                                                                                                                                                                  MD5:FE98F581483729C0D911BD0C2342F924
                                                                                                                                                                                                                                                                  SHA1:EAC4DDEDAA515BC476B70CFB9CF9885FFC02D332
                                                                                                                                                                                                                                                                  SHA-256:945316F7746938D97B136E40F5A04EC71A88AC6D0449D2D62D472F4666848885
                                                                                                                                                                                                                                                                  SHA-512:BDCF12D0C8A1BAA82ECED4639890E580807D6A11FCD6E0E9CA0129B88628FF8D3A8FE26BDC7C14733B04720163BBD6511E3E759C93A091E8676F056F2E1B83B7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*t............" ..0.................. ........... .......................@......B.....`.................................i...O.......................P(... ......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........R..l...........X.................................................(!...*^.(!......p...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):69712
                                                                                                                                                                                                                                                                  Entropy (8bit):6.223827955087223
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:DsDE/e+9cxoZhNyjcMiJSAopUx+ZM76ohkz:gDE2HozNyjcf4o2MTkz
                                                                                                                                                                                                                                                                  MD5:6E2697DB393D6E8AA67CB5058C78F8B9
                                                                                                                                                                                                                                                                  SHA1:D9039790C698CF0BAAD4067AA223BC59D99B86CD
                                                                                                                                                                                                                                                                  SHA-256:E0133F189FC3561BA5308529E78FD212EA16F681BEC8670E51B3473567E259CF
                                                                                                                                                                                                                                                                  SHA-512:1CCCF23A2D5BDDD98A988FAE9B52EE84B9C7428951BA22988B21197F825EA76FECAB2C0E309272E69C1A9B226B0997E0C0A306E84DC29873B862400963A2CA10
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p............" ..0.................. ........... .......................@......:2....`.................................S...O....... ...............P(... ......`...T............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........T..............`.................................................(....*..(....*^.(.......\...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r...p......%...%...( ...*...(&.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):64080
                                                                                                                                                                                                                                                                  Entropy (8bit):6.288018545132408
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:k5HPh4EAiOY3m47MHUlIarqNCd4/gZaLstEQDNKTqRLtfYrxcfC8WEpYi60Yj2:k5PhAi33m3UOZsd4IZnuQDLtfjfCG76o
                                                                                                                                                                                                                                                                  MD5:5B798C46513ABC795D47C034F316C4D6
                                                                                                                                                                                                                                                                  SHA1:26550D71839DD8BD36DB8B2E20ABF3D9B42D3E77
                                                                                                                                                                                                                                                                  SHA-256:E265A7EB1DC1A85CC822C826D4D5691EB71F7D70FD06A4F36B6B531192A8FB6C
                                                                                                                                                                                                                                                                  SHA-512:F8AA5A4D125E3149EBF07ABB9A9CB0F026C35585CEAD385A8FBAA93F42502FCFE91B28B13C058C11A11A52D65C8A0A8C93C18A98A457117904CE28711EDF1D3E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S............." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......PO..............X.................................................()...*^.()......N...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z.~....*...0..........(....,..*..(.....o+......&...*..............!....0...........(.......(,...-..,..*.*.(....,.r...p......%...%...(-...*..(....*.(....,.r...p......%...%...%...(-...*...(/...*.(....,!r...p......%...%...%...%...(-...*....(0...*..,&(....,..r...pr...p.(-...(1...*..(2...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):28240
                                                                                                                                                                                                                                                                  Entropy (8bit):6.540408498244601
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:b1YBj07ZyQvkBd9aocTPMuiEjYpR6K698kwgcWWxseU7RWsXNyb8E9VF6IYijSJx:54jUv6iT9jsi8HyeU7LbEpYi60lG
                                                                                                                                                                                                                                                                  MD5:EFF907D202C8276FAC2E40C6FB05A0B7
                                                                                                                                                                                                                                                                  SHA1:80B065082AF0D56757CD22192ADCCB093B56392A
                                                                                                                                                                                                                                                                  SHA-256:7B496A21EBE9EEEAA50D2BF4D7A8E5E4ED44A8E1EDC20E62211EC463855D2833
                                                                                                                                                                                                                                                                  SHA-512:A4E879E1B74E005650F72B37A6AE1D463927D647EA0869DB155C2C492B26666A44BF577A9C55FCE08834389A0C9954ECA5DC355BDBF370B3084D59F52435D090
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oe..........." ..0..<...........Z... ...`....... ..............................m.....`.................................1Z..O....`..L............F..P(..........$Y..T............................................ ............... ..H............text....:... ...<.................. ..`.rsrc...L....`.......>..............@..@.reloc...............D..............@..B................eZ......H........&..d...........\U..H....X........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):59472
                                                                                                                                                                                                                                                                  Entropy (8bit):6.331423870898674
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:H7WAluzJ+Je2PS7kJFT+OUjz+Tf26auuPF1/krd6zkwQRIOIzb7E5EpYi604:bJ4V26g1YuuP/2IOef76B
                                                                                                                                                                                                                                                                  MD5:F871C018EF2B25D9FBDCBC6553565B56
                                                                                                                                                                                                                                                                  SHA1:4B9A73EB7EF4D9AE38F6C60C917D3D552142C9C4
                                                                                                                                                                                                                                                                  SHA-256:C632FFBE353493B69C6D1A7B3DE49B99BA53454C0BB6D550AECA01941D37BD68
                                                                                                                                                                                                                                                                  SHA-512:664AD86077CFE852FF74391DD22B77EBC661A1887B6BFEDB756784433E54B345CE6BFE90F321A513514005332D0D9BE1654EE4EA85337BB165688438ED3FF293
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0.............:.... ........... ....................... ............`.....................................O.......L...............P(..............T............................................ ............... ..H............text...@.... ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........H..t...........l.......d.........................................()...*^.()......a...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z..0..l.........~..........(+...*(,........,.r...p(-.......+.r...p(-.....,..ry..p(....-..r}..p.o/...+..+....(0...........*.0..%.........~.......3.(....-..+..%............*F................*..0..<.......r...p..(1...,..*r...p(-.....,..ry..p(....-..r}..p.o/...*.*.*.~....*..0..........(....,..*..(....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):21072
                                                                                                                                                                                                                                                                  Entropy (8bit):6.656390892419785
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:ZzhlvlfTcbY3SCkWJOVMWskNyb8E9VF6IYijSJIVx2aJq2h:zrfTcbY+uEEpYi60T/h
                                                                                                                                                                                                                                                                  MD5:19104941CD113377E35CCF5135A1843D
                                                                                                                                                                                                                                                                  SHA1:1923E051D328975BC5EDEB6EF86FA50B1CCF6056
                                                                                                                                                                                                                                                                  SHA-256:889D30261A9EA753260F72BD561026685D45503849745CC8C25D5B9B3A1F3C5E
                                                                                                                                                                                                                                                                  SHA-512:FB365CB21D5EC578DB082D58FDFBF7F1D54F318156CB00F2BE872F1902D212B978CE36522C6C72C43D8CA471DB48EDE64378720C5A01662F1F86ACB4250E9DC7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.}..........." ..0..............=... ...@....... ....................................`.................................-=..O....@..(............*..P(...`......0<..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@....... ..............@..@.reloc.......`.......(..............@..B................a=......H.......H"..h....................;........................................(....*^.(.......)...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*...0............(....-.*..r...p(.........o .....(!...,.*....("......(...+..r...p($

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):26192
                                                                                                                                                                                                                                                                  Entropy (8bit):6.641194802197715
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:B3WWQsE/8iqjnqHTnBdOHFgYVwOU3NW2qFWspUNyb8E9VF6IYijSJIVxUo0elF:B3hQsE/8irTnfYFr/pUEpYi601nn
                                                                                                                                                                                                                                                                  MD5:DB9A42C37C2014B7211C8B1ADF138D9D
                                                                                                                                                                                                                                                                  SHA1:5FED4CC63EA69D11A999F972D38650441023C772
                                                                                                                                                                                                                                                                  SHA-256:B946DB49D488535D18536DB06BE4F1CA51FF1A2D9B16C3F082F8643A2379E6FF
                                                                                                                                                                                                                                                                  SHA-512:E080F4543D4B940C45F5E752562626546E0AF5FD07D2C8B344B87A83D67521390368CB048A88439DE4F36C22F2D7087ABDB52CD6902C11AEEE27FEFA4E73C883
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Su..........." ..0..4...........S... ...`....... ....................................`..................................S..O....`..`............>..P(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc...`....`.......6..............@..@.reloc...............<..............@..B.................S......H........'..T*.................. R........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*v.r...p(.....o....(...+(.....*..r...p(.....r...p(.....o.....s'...(...+(.....*..r#..p(.....(....&.o.....(...+&.*..("...*.~....*.*.(....*.s.........*.~....*..("...*.*.s.........*...0..x........("....r7..p(...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):35408
                                                                                                                                                                                                                                                                  Entropy (8bit):6.575755204796465
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:9oi0m9/A58Ph+mJ5fvIK0ixTryfCWo/zKeGmquanccOB30RtWW3aUWs1Nyb8E9VM:LDhbJ5nR02TQCWoJ92REpYi60Kk6
                                                                                                                                                                                                                                                                  MD5:3991CE21FDAF6242736D350CFF3DC68F
                                                                                                                                                                                                                                                                  SHA1:042C5A56BE96744D3095F9C41B6DFF7D7EE0121F
                                                                                                                                                                                                                                                                  SHA-256:D127E3F78779D0E387E974CE196398F92BDAF232C8CDE0FFADE87619BAD7B2F8
                                                                                                                                                                                                                                                                  SHA-512:3DB24ADB02EC97397FCD1125E8BCC69E27CA9456BE7082FA4C5063E1D5BC77ED435F9C8E2FA4E1D561A11FC715AF143D72228388D7295370C9DE0A0B4109FEEB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0..X..........nw... ........... ....................................`..................................w..O....................b..P(...........v..T............................................ ............... ..H............text...tW... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B................Mw......H.......X0..8E...................u........................................("...*^.("......J...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z:.(".....}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.($.....}....*....0..+........{....oG......+......o%....o&.....X....i2.*:.($.....}....*2.{....oB...*..{....*..0..M........r...p(.....o'...~"...(...+.o'...(...+(*....o'...(...+(*....o'...(...+(*....*..($...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):48208
                                                                                                                                                                                                                                                                  Entropy (8bit):6.410791336032204
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:17d427HfKy1DQ+SKKKKzqPo6Zkn2qZKqLzZdd0UFxtEpYi60p7uh:17d42LfKy3SKKKKr8keqBdd0UFE76Jh
                                                                                                                                                                                                                                                                  MD5:9EDB59E26F2E2B161437BE30E12D1BA5
                                                                                                                                                                                                                                                                  SHA1:68A9538F0207FD95F538DC6BC98500B577CA4263
                                                                                                                                                                                                                                                                  SHA-256:79C7D9C74FDABB58C6355DDF98A842547CE8EE42E01191FB4A12BDAE8ADA5AD6
                                                                                                                                                                                                                                                                  SHA-512:DE2CAE46848949BE67BF1D1C96534F873C080A118ED3D059927440DCB4CD864944DF567AD63DC9804E92ED5B9AE9ACDC62D9CBE82A6319EA633568F4DF0DB1D3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H..........." ..0.............Z.... ........... ...............................M....`.....................................O.......(...............P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................9.......H.......\?...d...........................................................('...*^.('......W...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):24144
                                                                                                                                                                                                                                                                  Entropy (8bit):6.629489538581648
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:zy1x30dJaeTP8pBT7xe3SUDtzWzK0Ws0Nyb8E9VF6IYijSJIVx61mx4GWR:zq/eTeABdW0EpYi60a24x
                                                                                                                                                                                                                                                                  MD5:B79DE0C189657DC7695959CC7F723B31
                                                                                                                                                                                                                                                                  SHA1:B95CAE2523413CD5E98D08B6BF40CD6B1AE30BB9
                                                                                                                                                                                                                                                                  SHA-256:A75961BB014A0283BD150247EEC925CA0D2717E1FDF27262C421AB214278830E
                                                                                                                                                                                                                                                                  SHA-512:2B2F74E85682029B6D6E7F918E4CBF159E1E2D1764B04BBB57E3A83EFB38C94EA82F9EA6E3680C24F1466CEFB89F0990E792F62617EDB7D39DFB28D57393CA7D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D3..........." ..0..,..........FK... ...`....... ..............................8x....`..................................J..O....`...............6..P(...........I..T............................................ ............... ..H............text...L+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................%K......H.......0$.. %..................PI........................................(....*^.(.......*...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.(......}....*..{....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..r...p(.....o.....o......(...+&.*.0..P.......s ......}!.....}"....r...p(.....{!...r...p(........#...s$...o...+&.o....(...+&.*

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):61520
                                                                                                                                                                                                                                                                  Entropy (8bit):6.347288911250665
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:Wg+uGuV+1mb5JtoNIHQs1YyH67beAn9eLfLaV7CvS4fEpYi60k7M:Wg+uGuV+1mbaqvy9OfLKMS4Y76K
                                                                                                                                                                                                                                                                  MD5:3D389341072F7E3007CBAF89BE2CEE07
                                                                                                                                                                                                                                                                  SHA1:955F0CD9BE38B30430CBE1C679B6D9F8BEE2D6F5
                                                                                                                                                                                                                                                                  SHA-256:CA3E34116E3425D94ABF9C11C53C64DE61A4C9B59382E31846552B7067BE2041
                                                                                                                                                                                                                                                                  SHA-512:1F3FBC2C7EABC68336F76136CF5FB9C8FB3C52E586B082C555CD128E0424E0A566B6CC29CC38BF5470460500D7190E13AA9ADC57D33AD53EE1AD1BF07C59A07E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%..........." ..0.................. ........... ....................... ......G.....`.....................................O.......H...............P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........F.....................0.........................................('...*^.('......G...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):42576
                                                                                                                                                                                                                                                                  Entropy (8bit):6.372478146658094
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:NKsIwjxNp8hpwVeEfHuX1QUIh3kOP7oIyWb3jec/uiCR9Crw3EpYi602p:Jd8hMfHuXbIkOP7ym3jZ/uiCRgrJ76f
                                                                                                                                                                                                                                                                  MD5:BD3A0337F0C30918BDC188857D425C74
                                                                                                                                                                                                                                                                  SHA1:872EE96948F18F238C11EE675288A7D49015AD55
                                                                                                                                                                                                                                                                  SHA-256:4DA12341EEA412DE444F0CB5D534FA9D3552778922D4165D47D697917EA9BEFD
                                                                                                                                                                                                                                                                  SHA-512:F71FBD9D25D5C560F45A41491226461F6CB842A9385071F8CDB99E8BB7264355671A06A50ABCCB1D59F8F31B32AA015897279ED8FEFBD58E7D9739DE77452C94
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.:..........." ..0..r............... ........... ....................................`................................./...O.......l............~..P(..........8...T............................................ ............... ..H............text....q... ...r.................. ..`.rsrc...l............t..............@..@.reloc...............|..............@..B................c.......H........:...O............................................................(-...*^.(-......G...%...}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0...*....(3...*..,&(....,..r...pr...p.(0...(4...*..(5...*.*.(....,.r...p......%...%...(0..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):345168
                                                                                                                                                                                                                                                                  Entropy (8bit):6.141653165126045
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:qpc1zjTFIfqAnI7FZVllnuJxKrSj8r2yQQLeBLPHGUdlWOAlMoBJR1TaKwQz8weR:LpTCqAn+fnw5h9hdls+IZTWc8
                                                                                                                                                                                                                                                                  MD5:8AD62152C774F9E5E863647986176CEC
                                                                                                                                                                                                                                                                  SHA1:CBFD226349772DE4A7BD1A397B9A197DA5EF17DB
                                                                                                                                                                                                                                                                  SHA-256:FBB92409C4C7FC62934E0EAA2B7B9D9B3FC166EEAB22100BEDDACE141A90E14C
                                                                                                                                                                                                                                                                  SHA-512:BAB680BAAA50CB5E828BB06FFDEA52BC0F648F206416AFC15E06B3577713950473E7D67699E20AE8A832AB90607C5CFBC10335FC98CF591C1DFA00A18023BA09
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............." ..0..............0... ...@....... ....................................`.................................S0..O....@..................P(...`......D/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H...........xZ..........|...H.............................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710736
                                                                                                                                                                                                                                                                  Entropy (8bit):5.954096125476881
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:OFIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDM6:CzMTMNNd+g5Wk78GBBjgrIQtDt
                                                                                                                                                                                                                                                                  MD5:0F2FCE599017F8E46AB778CE1BE8CEEC
                                                                                                                                                                                                                                                                  SHA1:DEE6ED88C5E2E6CD3C247A0A2C6AA2232D84AE1D
                                                                                                                                                                                                                                                                  SHA-256:0C99EA300932D53DBB69BE97A76BBF6249DE62F98307661747739738602EE66A
                                                                                                                                                                                                                                                                  SHA-512:98C517BAB3D7FA4DE0AE888137C741DC25CF48503D4610C3B7F1D9BAE948BE2054BFF708398C02688BF793F2F8F9B2A5C8A8BAD41E2CBD2DFF76384592459BAD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.............>.... ........... ....................... ............`.....................................O.......................P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............9............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*.(.........*....}.....(......{.....X.....}....*....0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{|..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):285776
                                                                                                                                                                                                                                                                  Entropy (8bit):6.198246078607741
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:5MiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcOY:5MZpj06vUsMjbQ77D+w
                                                                                                                                                                                                                                                                  MD5:DE269EBB2341B2C8FBC1867929486CA3
                                                                                                                                                                                                                                                                  SHA1:8FFA56B29C1BF1D710EF28BB09FC1E5F61355BC7
                                                                                                                                                                                                                                                                  SHA-256:5E6E72C150F55DFFD43A42CF6674895734971C8EC761DE639DFBA575B82403B8
                                                                                                                                                                                                                                                                  SHA-512:43CF7760C7AD945277EAF9F075F3807B0222AEC4B440FDD3FCC8DECD56C74EF3E71953418ABEFA2F5C55314F397A68F20807235B09CDE5C8E36E0C3AC1AC6698
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................G....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):38992
                                                                                                                                                                                                                                                                  Entropy (8bit):6.293140443991646
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:ydfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIdU:yxuJRRsnHnyhQupytM9z7O3zfXYvj8r/
                                                                                                                                                                                                                                                                  MD5:7375A255242837552CD21BCFF925B0A4
                                                                                                                                                                                                                                                                  SHA1:60EC69A8DDFD76EEE9CF8FB9CED5ED5EE899AA5A
                                                                                                                                                                                                                                                                  SHA-256:C83CFA4CC990CB769A7B7FEF91625D8521670465819BB462166B3BD5F938491B
                                                                                                                                                                                                                                                                  SHA-512:196A9FC65340A4DA2EEE47A7EE40C0061AE6681CE05EE54E476E101A4A2F806199CD78EE08707D6A9CF79B5006FF2B21226BB5FCFDFBD83805C6BAF896A038A9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):27728
                                                                                                                                                                                                                                                                  Entropy (8bit):6.552018898582154
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:pSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYhNyb8E9VF6IYijSJIVxKtKu:pSCZUl2O1zCnXyzDeEpYi60kf
                                                                                                                                                                                                                                                                  MD5:1D8206B4D0D1BD662025D28CA5A46E58
                                                                                                                                                                                                                                                                  SHA1:88524C086E4DBD6625FACA3DD4B53B2491084111
                                                                                                                                                                                                                                                                  SHA-256:447D1CC45EE11F2DD755B4F54DCF3F5903429C11029FC48CEDC1B85E4F28B78D
                                                                                                                                                                                                                                                                  SHA-512:31A94DDAE20FD48A282A5C8DA8ED7B97D5A83DEBF6CF89AE91FE267D0095022F3CCB54EBBCA6EB85E82E57DB7521B2702FFF0BF10AF043BEE76987DCC6A35979
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ...............................}....`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):41552
                                                                                                                                                                                                                                                                  Entropy (8bit):6.317883878515866
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:+3UqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BCEpYi60+:XLrgfPw3mXREaD76v
                                                                                                                                                                                                                                                                  MD5:142B51D1CB3F8220FE69404159703BE2
                                                                                                                                                                                                                                                                  SHA1:B69B8678B08F5674C533B728A895FDBE9F0E051F
                                                                                                                                                                                                                                                                  SHA-256:96811558375D8C94A486D0C604BB8299CBD484CBE7985600F403D5D884B1A8AA
                                                                                                                                                                                                                                                                  SHA-512:4BE4FB76CB05CD872B3CFD829DD08D00F5567D331479A3134A3A60AD5879DD21382CC794551E7F75C1AE85632018EF5E46AF59DF577EAF3CEA36C61F74894860
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ....................................`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138320
                                                                                                                                                                                                                                                                  Entropy (8bit):6.15934663093023
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:bobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDt4NO:cbKKz1UeZk/Phv8lDuPaV
                                                                                                                                                                                                                                                                  MD5:E465521C59C11C51738CC4174E8FCC68
                                                                                                                                                                                                                                                                  SHA1:C782E51D40FE696A2E4E5314CFC46A071A409BBF
                                                                                                                                                                                                                                                                  SHA-256:B387C5C612C559DE5EA70D873BED490CA3FBE40073E73F0EAD5E2FFD09C3642D
                                                                                                                                                                                                                                                                  SHA-512:F9C269801D26E67235ACD30B2655F3E5A71FA58D617D503242933E374447726A93007AE3AE97F835BB7539A9169E2EF6192815D866F1383D4EAF41CD3FD96016
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`......k~....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):150096
                                                                                                                                                                                                                                                                  Entropy (8bit):6.237726048640069
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:O0B07tjJYVNSCn+tn3nUMI000000I+49U2BL1krTe:907iSqSnkMDjy2
                                                                                                                                                                                                                                                                  MD5:C62817B604D61C7713A7E653F31A85A2
                                                                                                                                                                                                                                                                  SHA1:5076C010961D64C70E20A8E0B1264DE862F1A002
                                                                                                                                                                                                                                                                  SHA-256:1D4F20AB1FFD4CE57C198F8851671061E06513416FB3764607A9D63EFA693891
                                                                                                                                                                                                                                                                  SHA-512:4554475857586EC327EE561DACE31D83F4E328E1F4D38D5F9AA3EA15A51A46508EE19F44BE534F0D09D633B786AFF2499B7A74CEB4DCF32D2A91EFEECE829616
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#9..........."!..0..............4... ........@.. ....................................`..................................4..W....@..............."..P(...`.......3..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................4......H...........lV............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*..0..&.........+....(....G...Z.(......X....(....2.*...0..L.........(..........(.....Z.(......(.....s....~....%-.&~..........s....%.....(...+*...0Y..5...0Y*..aY.5...aY..X* ....*V..0Y..6...aY......*.*.s.........*..(....*....0..&...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):52816
                                                                                                                                                                                                                                                                  Entropy (8bit):6.178562116222838
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:etgEqel7clEfRWOuDXaVIWb0TadZjirgFDrGfmAXOaYbMlHEpYi60CV:eiprEfsOuD0hhji6DrLbAg76VV
                                                                                                                                                                                                                                                                  MD5:B60300F33BC14227755C9DA5A088ECD4
                                                                                                                                                                                                                                                                  SHA1:33D67AF11511813084E18AF7239D10BE4FEABB52
                                                                                                                                                                                                                                                                  SHA-256:920B101208961328406331DAAF2E579FCA8F10755854BE935DC9E87F9714F39D
                                                                                                                                                                                                                                                                  SHA-512:61A108811E3B6E1FBDF481C6842A56836CF61F9A13A745D0108A5D222451B43BF955D9F454BDD0D66A8F1D429348415F478D30E44EC83822EAEA3F9DD1C0D377
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L..........." ..0.............Z.... ........... ..............................;.....`.....................................O.......................P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................;.......H.......<5..,m..........h...0.............................................()...*:.().....}....*.~....*...0..........(....,..*..(.....o*......&...*...................0...........(.......(+...-..,..*.*.(....,.r...p......%...%...(,...*..(-...*.(....,.r...p......%...%...%...(,...*...(....*.(....,!r...p......%...%...%...%...(,...*....(/...*..,&(....,..r...pr...p.(,...(0...*..(1...*.*.(....,.r...p......%...%...(,...*...(2...*.(....,.r...p......%...%...%...(,...*....(3...*.(....,"r.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):34896
                                                                                                                                                                                                                                                                  Entropy (8bit):6.287043525920534
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:23wGplLcGsTK/lWNVz7MW+N92D1NlteVPEpYi60w8:23wMZ1lWL7MW+N0peVo76/8
                                                                                                                                                                                                                                                                  MD5:4411688A6ED39CA914ADA0D5F50A9BF3
                                                                                                                                                                                                                                                                  SHA1:E51B3908FCF47D753E7C0D17E66EF9A9F9F6B419
                                                                                                                                                                                                                                                                  SHA-256:DF312456E626FDC6D1B55EE64C5764C758742F50E056CAF089FA4D90D23DA9FB
                                                                                                                                                                                                                                                                  SHA-512:56CC118BA445631ABE0496A716F1C5BE00AFF7C5253024AD14324AC7B1138FD17A69EAF7C43F4C39E71882A9B00AB91B7AFE9A0566352D1C5F85DCF9C98DE464
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............" ..0..T..........6r... ........... ...................................`..................................q..O....... ............`..P(...........p..T............................................ ............... ..H............text...<R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............^..............@..B.................r......H........(..h6..........$_..8...\p........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):71248
                                                                                                                                                                                                                                                                  Entropy (8bit):6.130458302613061
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:2QuedlunqpC9yYxC9P7tt08eeykGlsESo3G76+Z:F3KICHxC9ZJexRsG3GLZ
                                                                                                                                                                                                                                                                  MD5:6ABF45C89ECD52D20F71ACAD4D96B251
                                                                                                                                                                                                                                                                  SHA1:80A7AC59575BFBB85D91D0E901C65E034920BD94
                                                                                                                                                                                                                                                                  SHA-256:D5E5CDD64F6DEB5FE49E5C45E6EA8B9BC556E28D65D3A004C884A8AAC87F2B08
                                                                                                                                                                                                                                                                  SHA-512:63AAF00DBA49F94AAD54C09527163F87D2FB34CAAA6B2FE77953B58A51148E3BCC6009ADB22FA4B143D15DDF719E4BC96B94960BD27E25ED37F004F015F284DC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n..........."!..0.................. ........@.. .......................`............`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............w...........d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):543312
                                                                                                                                                                                                                                                                  Entropy (8bit):5.986933648131665
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:n6+HbUMHVgQO61+5ZpvsQ60OghEusa4UQgce0x7KjF76pkLzLFEnJEIfibgPKiUX:n6aRgsgfEU4UDcxkLzJEBsgPKiUYFHPG
                                                                                                                                                                                                                                                                  MD5:E77BF920E2DCCB34C50D962AE8D311F9
                                                                                                                                                                                                                                                                  SHA1:C3A6AB1B6AFA434EC5D55E7007A32C2F1B80CE64
                                                                                                                                                                                                                                                                  SHA-256:713D4CDC9F120114926CD8BA6DD8F896624F1AC63C5D9EC97682C31A93F55292
                                                                                                                                                                                                                                                                  SHA-512:6CF00F9AA8EC9A1C6542ECFD703E554ACA8CA7A2A2BA8E91DE5F4542CACE309CA7697AED7255FCE098367215473E4F9B2B55EAF0A87A04F2C28DDBE7A7BD1166
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B............."!..0..............3... ........@.. ..............................6G....`.................................h3..S....@..............."..P(...`.......2..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H...........s...........C...w..H.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..&........(.......(..../.(........(....G* ....*...0..@.......(.....3'..0Yn.!.~...~...i.?_b...@jY..._.j2..*.*.(.... .........*B..... ....s....*.~....*.0..........(....,..*..(.....o.......&...*...................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.560006548424685
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:AiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufPU1S5rxg0XWr:v1Nvb5adVl8P2djJMZJSGu3z5rxg0XWr
                                                                                                                                                                                                                                                                  MD5:63E9B310597AC25A1CEAA55B6F0CC9F3
                                                                                                                                                                                                                                                                  SHA1:0C5B170ABA511F479E593727CF7F562523EA7E8C
                                                                                                                                                                                                                                                                  SHA-256:96B51BB87A1F4072D10B774FFADF81AF93881900571D21FE638E10E3FB0220B8
                                                                                                                                                                                                                                                                  SHA-512:3BAF3836F8F42DF2D3444409115A3564B0961CD3141CC46E248E6E29A59EC773E511477D8DED4BE05125F2F45E987FD6F94AC5676C318A728B7CA63EB78E9056
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ..............................;.....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P ........................................H.W..Q.2.<.L......H.*...W.!".5....8...}P1......#....Z.N..d.....o...P.....@G...g.g..7.w.!V_..4..7.=.G.".8%..q..G....a...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10240
                                                                                                                                                                                                                                                                  Entropy (8bit):4.43329064965383
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:ycWWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAPq115rxg0XWr:yc1NvbGVxx6hUltfxgE00cLq5rxg0XWr
                                                                                                                                                                                                                                                                  MD5:94136496103CA7B4425EB6D639EEC501
                                                                                                                                                                                                                                                                  SHA1:AC8F3F4E7C04D4BEEFBA94004A114880662C8387
                                                                                                                                                                                                                                                                  SHA-256:A3A44472A3944FF0D5C31241BF6DD9B6AE04EAE03581D338B53E3E41EED7141D
                                                                                                                                                                                                                                                                  SHA-512:04F4614C5BCF97EC643079D50FFA800B2F89A503E02D7DA6FF97AA463993A6964833068063C5A144C7E7D44BEAF082B43EA672F66B4E831EC2CE828666C4965B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................n:... ...@....... ...............................x....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P ........................................^M...=..A'R..\N.....U.{..-.Y+........E.?.......3.....#..9.v..2q..?..L..>s.SI.....}...M..Q.=.w....(<.I...,....>^..E..J..X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10240
                                                                                                                                                                                                                                                                  Entropy (8bit):4.581775279455886
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:R/WWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VPH1g5rxg0XWr:R/1NvbdKJiDjgmlRi0HYZDMa5rxg0XWr
                                                                                                                                                                                                                                                                  MD5:8C7822BE67F1576F2E11817826ABE40E
                                                                                                                                                                                                                                                                  SHA1:9B9EDD5FEE4415CB7FB09F0940BEAAFF1C107EB7
                                                                                                                                                                                                                                                                  SHA-256:C9A7CFE32AB4567D671A84397ABDA29CC92B21CB412CE0F0DF12352C68B7460F
                                                                                                                                                                                                                                                                  SHA-512:70F76DFFB3FE25F1D3550BEC3C168805AB422C6A0505DDDD21EB2A5B59F24D5F37AEDE0DBEBCF16F821868789E17A87AE61442BE6525ECA0461C0146E4E6B850
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................^;... ...@....... ....................................@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P ......................................S...8cY)..6. .X.YE...W.....*.......r.~@.]\.D.3.....4I...P.u.....Y2Y.n....)@.xV.#g..V.tI.&.gy8....)U..@k..n...FF..w..6.) R.;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10240
                                                                                                                                                                                                                                                                  Entropy (8bit):4.368843686720491
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:IiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPk1q5rxg0XWr:31NvbGTNgr1nJI3+07M75rxg0XWr
                                                                                                                                                                                                                                                                  MD5:79C01911FD90F929CCBD1D4964D2C17A
                                                                                                                                                                                                                                                                  SHA1:1878855F9C350B245C3258204A754770CAD776A3
                                                                                                                                                                                                                                                                  SHA-256:E8F0F7F9E9F2D836AAA341A39D3B395B397BAC0B88F6DDED3F159A6C8D2D74A1
                                                                                                                                                                                                                                                                  SHA-512:0C820224F516FE888621C09E3ED1870AC4B702AB97B1CE3CE4463445FC96F9D8798C97B6AE6ECFF1175D8D8EE8657052AF0E42D03B55340635CF9F5E65A9D6FA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ....................................@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................^V..d.~.R.t..i....v=.pIE\..#.}-{.u4....fIk.9.A..G....P_.S.u...w...J.AY....,.v.. ...A..."./..%.z+...".e..:.d....t.G...o................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10240
                                                                                                                                                                                                                                                                  Entropy (8bit):4.593201257102684
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:9SWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPE1V5rxg0XWr:9S1NvbaG1cxy8ONHskd85rxg0XWr
                                                                                                                                                                                                                                                                  MD5:437252DA54AB3171BC7DE366E5494AD8
                                                                                                                                                                                                                                                                  SHA1:A4FCFD9240B28C836240D4CAA4C9EC8DE38F6E9F
                                                                                                                                                                                                                                                                  SHA-256:9BFB9826E286B55AA5A580A5C220114063871B1EA8C541DF783A73EF8E72806B
                                                                                                                                                                                                                                                                  SHA-512:8D56A2EF0DE3B3BF16FE4D931EE6D6A8119E4CD7B3FFA52AC3EF65CEA2A2F4C4E99ED536757546A54CD5A2318A1BA4E70E6425367402CFD06345FEA6EE8442C0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................;... ...@....... ..............................._....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................4....4...L.."...J...%-..............Drc....4.....n.3Cw .r$y.4......%..5[YupFe....R..!`..#h.I..-3..kH..:~ya..P9....PD.}...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10752
                                                                                                                                                                                                                                                                  Entropy (8bit):4.84740063117937
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:AHwWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlN1O5rxg0XWr:AQ1NvbH7O9JKgglrCPChnYVC5E5rxg06
                                                                                                                                                                                                                                                                  MD5:44CC811E193FB220954A0E56AF6F7682
                                                                                                                                                                                                                                                                  SHA1:B1437F518F3D8E8DEAD506D7E352B69593486244
                                                                                                                                                                                                                                                                  SHA-256:8CDCF449550DF3F9CACD3A8A41D19D6144BB0FED630825D6118D4077F637BC35
                                                                                                                                                                                                                                                                  SHA-512:E3FE956494F6179D6A725ECA38FE0E0739A14300DE035093212B0169BED45374E3792EBF7DF916996923777CCB9842C04D9B954D30094D51CE81A892D8F49385
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................~=... ...@....... ....................................@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P .......................................s....E..s....D6..|G....Kc....,..M......8..................}..\.bf..qe.T....w RF..B..y5fW=...N&GE(..[...._.H.....Y.c...ta..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):71312
                                                                                                                                                                                                                                                                  Entropy (8bit):6.106692533939604
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:mxuAEP6SHdOP71+KXUk/lsQDzZfOmLeSo0df9Xzlu:eEP6SHdOItSlXfNeSdf9Xxu
                                                                                                                                                                                                                                                                  MD5:0631D48880E7DDDDE2733C133BA486BB
                                                                                                                                                                                                                                                                  SHA1:08BDC5C585123FA5F3B4D670DC92CBAA7620725A
                                                                                                                                                                                                                                                                  SHA-256:AAD8B9A018FC4C4601EDC7C9169370EEE26628C4D90F967C947BA9A81EC4B224
                                                                                                                                                                                                                                                                  SHA-512:3AD9C20EF888DBD78AD99673E2242ED45006F204FE704076C7791A681849E4A5DDFA9E38862F26DB8203262536E92F1757FDB6982A9FDE1625C3825D89F08A41
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T............"!..0.................. ........@.. .......................`......B.....`.................................x...S.... ...................(...@......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......,...Lx..........$d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):801048
                                                                                                                                                                                                                                                                  Entropy (8bit):1.7800450887072108
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:8qirVlWQX3WT56Os1HnhWgN7acWf53p13s5yX01k9z3Agrf8mNVf0nj:8BriQ+5kHRN76HcYR9zPrf8mrf0nj
                                                                                                                                                                                                                                                                  MD5:7A44C33341844DBE9C6FA526AF88E80A
                                                                                                                                                                                                                                                                  SHA1:0ACABD100F61A2F8B3C5E68A270599AD54EB8A39
                                                                                                                                                                                                                                                                  SHA-256:68F73AB17FB7F4AFF3D35EF6DB0E9D5B0FA0151111CB3D03992E23BC29D6C40A
                                                                                                                                                                                                                                                                  SHA-512:B81D63B345C193C6DEF17372311447D305AE167B2C4D1C2FDB0344D1E1EF5FF4F9D52599FFD862B2480825B308178737DF7E5E48C31E712339F009E92B6EAF57
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|'............" ..0.............&)... ...@....... ....................................`..................................(..O....@..l................)...`.......'..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................H'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......`...#Blob......................3..............................................-.....-...0.....M.................R.................h.....7...........[.....x...........D...................................).....1.....9.....I... .Q.....Y.....a.....i.....q.....y...............................#.....#.....+.....3.X...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):159904
                                                                                                                                                                                                                                                                  Entropy (8bit):6.097873216527841
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:eXCCOOz54xuTlmyRmIazZ11Ip5ZUWISFogVJoQyaH5MbDiz:Wz5dQ/cpJISF5c8abC
                                                                                                                                                                                                                                                                  MD5:950CD24EA3A9EFE5CCE594A8B228AFDA
                                                                                                                                                                                                                                                                  SHA1:4609AC99EBD157E4C9BF7E276EEA961C4BB3AA4F
                                                                                                                                                                                                                                                                  SHA-256:2AF781190AB7C97D6B846D5027745D609AD227665695E8ECB3AFD4CC9FCE6537
                                                                                                                                                                                                                                                                  SHA-512:2E8D0DE29E62732458472B8FA5AC35C48416E6AA5034BE309F688A095E6222A215EA3318FA02358707FBB98918983F2AB8996AC6703585485533ED4975AB7E3F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,............" ..0..>...........]... ...`....... ..............................T.....`..................................]..O....`...............H...(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................]......H............}...........D..0....\........................................(-...*..(-...*:.(-.....}....*..j ....n_ ....n3..*. ...._ ....`*....0..w...........o.......o.................o.....o/.......o.....o/.....(0.........().....(1..............,..o2.....,..o2.....(3....*.........?Z.......0..K...........o.............o.....o/.....(0....(*....(1.............,..o2.....(3....*.........)8.......0...........(+..........*...0..g.........(...+....o.............o.....o/..............(

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):86816
                                                                                                                                                                                                                                                                  Entropy (8bit):6.013720216920584
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:rqz3g47M9YIB/nRPP6eyO0MIq6y7suFvTbqtN0p7pqHUzH:rq3M5ftPzTLIq6y7sgytNK7p0Uz
                                                                                                                                                                                                                                                                  MD5:AAB8F9887FA45F30FE04472352E5AFEA
                                                                                                                                                                                                                                                                  SHA1:8244D05575D13E605B22538D7AE66D4805BC45C0
                                                                                                                                                                                                                                                                  SHA-256:7DFACED56145F3C6B80DE25A09E0DF6729149EF3C6A8F8F1B559E93B914FD2DE
                                                                                                                                                                                                                                                                  SHA-512:97BA85978B48324908427833374CB3C19DE01F136D29A3ADCAC350A0555B30087513CD33BB7B18F0CB52CB3E8884E0ACD1BD256704A8B96EA0C4CA8A0F8135CE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............<... ...@....... ....................................`................................./<..O....@.. ............*.. )...`...... ;..T............................................ ............... ..H............text........ ...................... ..`.rsrc... ....@....... ..............@..@.reloc.......`.......(..............@..B................c<......H.......hP..............h)..8....:........................................(&...*^.(&......K...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*6.~'....((...*R.~'....((.....()...*..(*...~'...(+...-..(*....s,...(+...*.*2.{-...(....*.~q...*...0..........(....,..*..(.....o.......&...*..............$....0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.709151479489131
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:0uWWNv/jzSEhtiBbSEmfO2mdqeCtzEc6yCPVo1L5rxg0XWr:J1NvbcbSEm22mdqet+ws5rxg0XWr
                                                                                                                                                                                                                                                                  MD5:90289DA899746E328816734D723C93A0
                                                                                                                                                                                                                                                                  SHA1:6AF8E30872729E89FE0A7C01D99DACF4AE6726CF
                                                                                                                                                                                                                                                                  SHA-256:2B3853CEBEA222ABB31C2B1E3D6CD19A2F6621ABB56954162751A2B592680676
                                                                                                                                                                                                                                                                  SHA-512:ABB6FE5216B412CD85E139D69657A40BEEBA00F2DD0DF1795AAD8CF27C13D9CE0EB2DCF3904CA445678D689CE56FA2C169ED7B40490181EA6B770B1A634A6D4B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ..............................................~.Xi.....05.]..sE04.hg.'...../.K'l..a..m..Z....q..m..4&....h....le..|.Z...../.....!*............<.XV$!./..})................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7267524338984295
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:T2WWNv/jzSEhtimYtEq40uI7Sr2fqmxkNeo7R7L7c7xM757odHK9nPo21f5rxg06:a1NvbOtEq40uYSatEdHwWloA9Pb5rxgJ
                                                                                                                                                                                                                                                                  MD5:2356F25971B72EDBB3303AEA1BEFB9A1
                                                                                                                                                                                                                                                                  SHA1:60780C3E4F36829A0038BF56CD929148A0A0523C
                                                                                                                                                                                                                                                                  SHA-256:99C3F55737EBC53BA4EAA92FAAE23EC8AAB9149826E5D821D6BC976706BED237
                                                                                                                                                                                                                                                                  SHA-512:3252FE8D4A04F4EF79DB76DEB446FBA236E0B281E0B1B35488198D8A5D8EF0F4890ED68DB0E93CA17CE3783B6A6A4D71EF5F8979F917E05D4DDAC638DF082A60
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ........................................u..q.:7i...g.'=......a.2j.V.:}......o.....F5.Sv....v.|...(.':KP.d._..D..s].Nx<..e........k.......P.0...h")g..N.>...@...).6...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1152141
                                                                                                                                                                                                                                                                  Entropy (8bit):7.9996934105504405
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                                                                                                                                                                                  MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                                                                                                                                                                                  SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                                                                                                                                                                                  SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                                                                                                                                                                                  SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):52272
                                                                                                                                                                                                                                                                  Entropy (8bit):6.139785828189609
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                                                                                                                                                                                  MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                                                                                                                                                                                  SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                                                                                                                                                                                  SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                                                                                                                                                                                  SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1782
                                                                                                                                                                                                                                                                  Entropy (8bit):5.026919218581437
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                                                                                                                                                                                  MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                                                                                                                                                                                  SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                                                                                                                                                                                  SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                                                                                                                                                                                  SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11
                                                                                                                                                                                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhTLV:WFLV
                                                                                                                                                                                                                                                                  MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                                                                                                                                                                                  SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                                                                                                                                                                                  SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                                                                                                                                                                                  SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=6.0

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):95792
                                                                                                                                                                                                                                                                  Entropy (8bit):6.184818983275012
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                                                                                                                                                                                  MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                                                                                                                                                                                  SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                                                                                                                                                                                  SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                                                                                                                                                                                  SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):95280
                                                                                                                                                                                                                                                                  Entropy (8bit):6.002764283325334
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                                                                                                                                                                                  MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                                                                                                                                                                                  SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                                                                                                                                                                                  SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                                                                                                                                                                                  SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16432
                                                                                                                                                                                                                                                                  Entropy (8bit):6.656654225594367
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                                                                                                                                                                                  MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                                                                                                                                                                                  SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                                                                                                                                                                                  SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                                                                                                                                                                                  SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):52272
                                                                                                                                                                                                                                                                  Entropy (8bit):6.410547751816252
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                                                                                                                                                                                  MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                                                                                                                                                                                  SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                                                                                                                                                                                  SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                                                                                                                                                                                  SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):398896
                                                                                                                                                                                                                                                                  Entropy (8bit):6.13440642371392
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                                                                                                                                                                                  MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                                                                                                                                                                                  SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                                                                                                                                                                                  SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                                                                                                                                                                                  SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):883760
                                                                                                                                                                                                                                                                  Entropy (8bit):6.071525670553409
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                                                                                                                                                                                  MD5:022108AD251A8942E295269CA824DE07
                                                                                                                                                                                                                                                                  SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                                                                                                                                                                                  SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                                                                                                                                                                                  SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710192
                                                                                                                                                                                                                                                                  Entropy (8bit):5.960711597816388
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                                                                                                                                                                                  MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                                                                                                                                                                                  SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                                                                                                                                                                                  SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                                                                                                                                                                                  SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):284208
                                                                                                                                                                                                                                                                  Entropy (8bit):6.117274836584594
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                                                                                                                                                                                  MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                                                                                                                                                                                  SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                                                                                                                                                                                  SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                                                                                                                                                                                  SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22064
                                                                                                                                                                                                                                                                  Entropy (8bit):6.676829122620627
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                                                                                                                                                                                  MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                                                                                                                                                                                  SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                                                                                                                                                                                  SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                                                                                                                                                                                  SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):97328
                                                                                                                                                                                                                                                                  Entropy (8bit):6.241615255803021
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                                                                                                                                                                                  MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                                                                                                                                                                                  SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                                                                                                                                                                                  SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                                                                                                                                                                                  SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138288
                                                                                                                                                                                                                                                                  Entropy (8bit):6.18032959054322
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                                                                                                                                                                                  MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                                                                                                                                                                                  SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                                                                                                                                                                                  SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                                                                                                                                                                                  SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17968
                                                                                                                                                                                                                                                                  Entropy (8bit):6.672454142602205
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                                                                                                                                                                                  MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                                                                                                                                                                                  SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                                                                                                                                                                                  SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                                                                                                                                                                                  SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):384543
                                                                                                                                                                                                                                                                  Entropy (8bit):7.999457129580227
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:6144:QCkHWMIRwZL7gsOTLQezyUyt6ywEYUxa5FDW8mWalWh6Nxjuq0xn57/EMpx4Ip7/:x4j1ZXgsO3dU61Oa3a8O50VF/R7pwvgZ
                                                                                                                                                                                                                                                                  MD5:3C93B399B417B0D6A232D386E65A8B46
                                                                                                                                                                                                                                                                  SHA1:BB26DEAE135F405229D6F76EB6FAAEB9A3C45624
                                                                                                                                                                                                                                                                  SHA-256:29BC4577588116CBFEA928B2587DB3D0D26254163095E7FBBCDE6E86FD0022D7
                                                                                                                                                                                                                                                                  SHA-512:A963F5CF2221436938F031B65079BEA7C4BAFBD48833A9E11CD9BDD1548D68ED968D9279299AA2ADFC23311A6744D516CC50E6537AA45321E5653755ED56F149
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-.....qF=Y..t.........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....0...................$A...?..K.*...{K...>3..y..m..7.|.....l4._.>.G..............}.p.........@....q...2T_.1^|..;.V.(V.:...F|.{.oX.......>....8.]QK.r]3}..h....l.d.z......WI..dG.d..{>.CM.....9/j..a....f.qF...X.}a.t........%n.+..I..-Xa..7..d.D..0...L.K....i"..Z.....~.~....._..{p*......+v,.K..F.X.|;"..!d......So'.f.o.......^.A.........c......|315....o.oRU..#.....R..h..[.":i..+8}...E:..!.M...Th%O;.dX.qK2.....9TD...Nt.J...."..$..k..k.'&I.p ...h.d......Z.3~...]~.B...}...~.(:U....=r<)...,...+.$...i=...1I.]....4Z..'...&..R......R.sW.?../.k....USg........o.....[......U......e..V...jG.Y.....v2...ph.L..3..n.!..... ..W."...cJ./.`..Lr..l.b..'.N^@....,D.y.....i._....@....M..)u-C.R..3"....C.iV/..|..c....$_..Uj.....^.R...*5......O........6*qw..G5.+.\.1..... .X...f..H._S.....b..HY>.GJ..}.,Fj...*.!...,(.j!.Od...&.....`.[.y.1*...$...a.8.j#9.Q...y..E.S.rQ*.2O.;.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):177712
                                                                                                                                                                                                                                                                  Entropy (8bit):5.81549541154566
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:fDpvOyLSson7aezB53Pbsk4GJCMA1TSuAehsZ7f2lz8/ChoCby:fD4y07asBx4krGSeCZXH
                                                                                                                                                                                                                                                                  MD5:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                                                  SHA1:F135BE75C721AF2D5291CB463CBC22A32467084A
                                                                                                                                                                                                                                                                  SHA-256:36704967877E4117405BDE5EC30BEAF31E7492166714F3FFB2CEB262BF2FB571
                                                                                                                                                                                                                                                                  SHA-512:BD654388202CB5090C860A7229950B1184620746F4C584AB864EADE831168BC7FAE0B5E59B90165B1A9E4BA2BD154F235749718AE2DF35D3DD10403092185ED1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0................. ........@.. ....................................`.....................................O.......................0(..........X................................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...................,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):546
                                                                                                                                                                                                                                                                  Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                                                  MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                                                  SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                                                  SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                                                  SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhWRn:WY
                                                                                                                                                                                                                                                                  MD5:DC63026E80D2BB04F71E41916F807E33
                                                                                                                                                                                                                                                                  SHA1:6CDA386D2C365F94EA3DE41E2390FD916622EB51
                                                                                                                                                                                                                                                                  SHA-256:3B54D00F00AA80384DE88E4F4005E9D4D889A2CCF64B56E0C29D274352495C85
                                                                                                                                                                                                                                                                  SHA-512:61DA550EFD55187978872F5D8E88164A6181A11C8A720684EAA737E0846FE20B9E82B73E1F689A6585834B84C4CEE8DD949AF43E76FD0158F6CAFA704AB25183
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=37.9

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):96816
                                                                                                                                                                                                                                                                  Entropy (8bit):6.180547422449922
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:vJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxw0h:vQUm2H5KTfOLgxFJjE50vksVUfPvC1h
                                                                                                                                                                                                                                                                  MD5:9D8B5941EA5B905E8197A175EF2B15A9
                                                                                                                                                                                                                                                                  SHA1:86A078E94B5578EC4125F50F78C8518A8CE1D086
                                                                                                                                                                                                                                                                  SHA-256:C6F05B647DBADC15AB97D31790FC8ACE054986EC33E9178FEEAD4235AD15CB0D
                                                                                                                                                                                                                                                                  SHA-512:FAB5FE82873862CE8ED1A427482093CCA307F6663E9F6497FDC244CE461312872D419FF274CDCA0C496414C28681901F335C9911B95D2A7C112D30E32D74E498
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ...............................C....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):704560
                                                                                                                                                                                                                                                                  Entropy (8bit):5.954116173285503
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:i9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc33:i8m657w6ZBLmkitKqBCjC0PDgM5H
                                                                                                                                                                                                                                                                  MD5:BA66874C510645C1FB5FE74F85B32E98
                                                                                                                                                                                                                                                                  SHA1:E33C7E6991A25CC40D9E0DCC260B5A27F4A34E6C
                                                                                                                                                                                                                                                                  SHA-256:12D64550CB536A067D8AFFF42864836F6D41566E18F46D3CA92CB68726BDD4E9
                                                                                                                                                                                                                                                                  SHA-512:44E8CAA916AB98DA36AF02B84AC944FBF0A65C80B0ADBDC1A087F8ED3EFF71C750FB6116F2C12034F9F9B429D6915DB8F88511B79507CC4D063BAB40C4EAA568
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................E....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):4.6551775291850435
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:hsShKC+4MsShLP6SX9NfzyShaKf0O8zHGShaKf0Od:M4qBX9Nf1ed
                                                                                                                                                                                                                                                                  MD5:FEF779F9080E169667D0BF37B3B41595
                                                                                                                                                                                                                                                                  SHA1:89E54D1FDE27A65BC7E367E3F39347658C8CC7B9
                                                                                                                                                                                                                                                                  SHA-256:82D1614E8A34171745F31306CD75B390A1BA992DB292E4596A7BC82604805517
                                                                                                                                                                                                                                                                  SHA-512:1C0C2BF8AB5BC358F90A4972E131F0870F87EF9BAF02BBC241F4259EEDD8E72B4DACF7B4EAC8D1CEC3F9C08DBE239D3A60D7C81F9229CEF44F982490106DCAFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................TAgentPackageAgentInformation, Version=37.9.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]...............k.....H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):35
                                                                                                                                                                                                                                                                  Entropy (8bit):3.9572958738405695
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:YwmkknBjHSWn:YwBknBOW
                                                                                                                                                                                                                                                                  MD5:A71282775093E920F3237E046186BAED
                                                                                                                                                                                                                                                                  SHA1:4AB32BDFF8B8D685E5018361451C424074FBDE89
                                                                                                                                                                                                                                                                  SHA-256:9544960382743B4BEDD665DF73988A2762B37B1C60C09C8CC709C32F36825D96
                                                                                                                                                                                                                                                                  SHA-512:B4C523656037A01CBF915E48C8C06C3925C37CDD68E166D66B9F9CF64B56B4B14B39773E6DD470C499407EFB4D81F39A74A4B369DDC28C0AB72B49A06980CEC9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.20A1A71C903FB68BF22777E46A3F5366

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):35
                                                                                                                                                                                                                                                                  Entropy (8bit):3.677028119136097
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:fc3Gh7UgzVchXn:f7NUgWn
                                                                                                                                                                                                                                                                  MD5:E49A5284D2F384905389D53944708C48
                                                                                                                                                                                                                                                                  SHA1:E455420E95EA0246B8B63A251B0E451ACD711B28
                                                                                                                                                                                                                                                                  SHA-256:33FD3B161AEC8867652C6B0707180ADC42C267EE9F66E33BF0CE70B55B4660B9
                                                                                                                                                                                                                                                                  SHA-512:E9EC60296F38F68EB6C6233094E50EF534CE44A91E6511097158D631673017F8FE316E1C11A494C29BD8BE6F94AAFBF9F4A9546E709694BD3CC98B12CD243FF4
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.2E69DDAE9D0D04A8ED39EECA359A9772

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):328916
                                                                                                                                                                                                                                                                  Entropy (8bit):7.999290842463468
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN/Hggh:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdv5
                                                                                                                                                                                                                                                                  MD5:D3901E62166E9C42864FE3062CB4D8D5
                                                                                                                                                                                                                                                                  SHA1:C9C19EEC0FA04514F2F8B20F075D8F31B78BAE70
                                                                                                                                                                                                                                                                  SHA-256:DBC0E52E6DE93A0567A61C7B1E86DAA51FBEF725A4A31EEF4C9BBFF86F43671C
                                                                                                                                                                                                                                                                  SHA-512:AE33E57759E573773B9BB79944B09251F0DC4E07CDB8F373EC06963ABFC1E6A6326DF7F3B5FECF90BD2B060E3CB5A48B913B745CC853AC32D2558A8651C76111
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):27696
                                                                                                                                                                                                                                                                  Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                                                  MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                                                  SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                                                  SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                                                  SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):542
                                                                                                                                                                                                                                                                  Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                                                  MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                                                  SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                                                  SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                                                  SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):13
                                                                                                                                                                                                                                                                  Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                                                  MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                                                  SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                                                  SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                                                  SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=17.14

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):93232
                                                                                                                                                                                                                                                                  Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                                                  MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                                                  SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                                                  SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                                                  SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710192
                                                                                                                                                                                                                                                                  Entropy (8bit):5.960415778826794
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUs:fBA/ZTvQD0XY0AJBSjRlXP36RMGx
                                                                                                                                                                                                                                                                  MD5:3DDA2732842FCAEEA0477F18D85CB584
                                                                                                                                                                                                                                                                  SHA1:D70016DF3F407CFE1BE6ACF63CC80A2B40F8212B
                                                                                                                                                                                                                                                                  SHA-256:EF3F8313AD94CFB9C2E8C95B54433F112918A0542C341763B19C0B2C6914A71D
                                                                                                                                                                                                                                                                  SHA-512:3403842EA1DF9F314EFF6E78F36F215A4E371B01B1C83345B7745737FABB092BDCFE63F78A29FB5FAD14825DA1C7AC286CC8BCA02B0FC3056620FE268D4FE6F9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):833993
                                                                                                                                                                                                                                                                  Entropy (8bit):7.999644881255343
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                                                                                                                                                                  MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                                                                                                                                                                  SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                                                                                                                                                                  SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                                                                                                                                                                  SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):219696
                                                                                                                                                                                                                                                                  Entropy (8bit):5.943430076853408
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                                                                                                                                                                  MD5:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                                                  SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                                                                                                                                                                  SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                                                                                                                                                                  SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):541
                                                                                                                                                                                                                                                                  Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                                                  MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                                                  SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                                                  SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                                                  SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhXWp:WBc
                                                                                                                                                                                                                                                                  MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                                                                                                                                                                  SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                                                                                                                                                                  SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                                                                                                                                                                  SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=23.8

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):52272
                                                                                                                                                                                                                                                                  Entropy (8bit):6.300719339270839
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                                                                                                                                                                  MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                                                                                                                                                                  SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                                                                                                                                                                  SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                                                                                                                                                                  SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):96816
                                                                                                                                                                                                                                                                  Entropy (8bit):6.1801131806578455
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                                                                                                                                                                  MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                                                                                                                                                                  SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                                                                                                                                                                  SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                                                                                                                                                                  SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):499760
                                                                                                                                                                                                                                                                  Entropy (8bit):6.056862695710082
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                                                                                                                                                                  MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                                                                                                                                                                  SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                                                                                                                                                                  SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                                                                                                                                                                  SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710192
                                                                                                                                                                                                                                                                  Entropy (8bit):5.960733432365752
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                                                  MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                                                                                                                                                                  SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                                                                                                                                                                  SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                                                                                                                                                                  SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):277040
                                                                                                                                                                                                                                                                  Entropy (8bit):6.190626027944278
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                                                                                                                                                                  MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                                                                                                                                                                  SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                                                                                                                                                                  SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                                                                                                                                                                  SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):149552
                                                                                                                                                                                                                                                                  Entropy (8bit):6.059724018456156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                                                                                                                                                                  MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                                                                                                                                                                  SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                                                                                                                                                                  SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                                                                                                                                                                  SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):27184
                                                                                                                                                                                                                                                                  Entropy (8bit):6.334370226233819
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                                                                                                                                                                  MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                                                                                                                                                                  SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                                                                                                                                                                  SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                                                                                                                                                                  SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):73264
                                                                                                                                                                                                                                                                  Entropy (8bit):5.955083228632948
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                                                                                                                                                                  MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                                                                                                                                                                  SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                                                                                                                                                                  SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                                                                                                                                                                  SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1246506
                                                                                                                                                                                                                                                                  Entropy (8bit):7.999702247108497
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:24576:Ony3ipTOpSfZauTZ0OH58yGrxiVj3WqHvYfUmanGGJFE:OnaSOpGoud0OHGliZWqH3bn/E
                                                                                                                                                                                                                                                                  MD5:E74D2A16DA1DDB7F9C54F72B8A25897C
                                                                                                                                                                                                                                                                  SHA1:32379AF2DC1C1CB998DC81270B7D6BE054F7C1A0
                                                                                                                                                                                                                                                                  SHA-256:A0C2F9479B5E3DA9D7A213EBC59F1DD983881F4FC47A646FFC0A191E07966F46
                                                                                                                                                                                                                                                                  SHA-512:52B8DE90DC9CA41388EDC9AE637D5B4CE5C872538C87CC3E7D45EDCF8EFF78B0F5743AB4927490ABDA1CFF38F2A19983B7CCC0FE3F854B0EACCA9C9CE28EDA75
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-.....=O(Y..>.........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......>N......V.^.'....l....f.u*-Dl._.>.u.S.Pl-6.;...].#.S.X..7./...."...Z.....M.$`.,..{....v...B.Q.M7.j4.'.C.G`<s.X.%.....,...<bdR....N....!.$J@.k...55....>1..(P&..-.#p.NwuV=Wb...a....-....q.!.s.LH..(...:..#7...L.7.$6.C.uy....&I.r..e...,w0o.....`.....[.{cg=]..IBiQq.`.X.D.h.......G./..NA.....46....w.....b9rp.J.C*.2.F.....G...~..q.x....u......l..I..b..z..w..v.d!./..U.Y^..J..k<kUo:.n:.W......g$..<.X.>....rQ.5JiJ.+..|.p......C......o/...K......T.....+9..z.."..Yd.f..&.B..QWu.-.@...c4.T.^...#.E...v...B..\.x0..{..."|.a.?.y.......-..W.........8nk.).$sf.2].c>...`....=...0..$.bp...Oh....8x.-.%N/...w.........i....a.QX0.k..k..f..D.vl.f.Q..3....]....$.4..k..y.../...'...a..C.x...@..".8....9...;..&j..G#f......).....l......Y..7.c....PJ...X...^)s[...{.......Jr.Q..+....N.F.I...%OS...=.......5......i....h..(....r..T-ir.=.+.'..'.......r...[..J...l.P....[.q...,.To..h.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):37936
                                                                                                                                                                                                                                                                  Entropy (8bit):6.42035670242574
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:GlK72yzFcoUzzxYeHTxwx6/ufD/EpYinAMxCoG:3e9YeHVwYe47Hx6
                                                                                                                                                                                                                                                                  MD5:EFB4712C8713CB05EB7FE7D87A83A55A
                                                                                                                                                                                                                                                                  SHA1:C94D106BBA77AECF88540807DA89349B50EA5AE7
                                                                                                                                                                                                                                                                  SHA-256:30271D8A49C2547AB63A80BC170F42E9F240CF359A844B10BC91340444678E75
                                                                                                                                                                                                                                                                  SHA-512:3594955AD79A07F75C697229B0DE30C60C2C7372B5A94186A705159A25D2E233E398B9E2DC846B8B47E295DCDDD1765A8287B13456C0A3B3C4E296409A428EF8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!............."...0..`............... ........@.. ..............................P.....`.................................Q...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H....... 5...I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1295
                                                                                                                                                                                                                                                                  Entropy (8bit):5.018953579697613
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                                                                                                                                                                                  MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                                                                                                                                                                                  SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                                                                                                                                                                                  SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                                                                                                                                                                                  SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11
                                                                                                                                                                                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                                                  MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                                                  SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                                                  SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                                                  SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=1.6

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):102448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.190700491174632
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:hPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87HxBg:h2bYbYSWd85I5sSakFQhHL8/g
                                                                                                                                                                                                                                                                  MD5:266A4736FE6DFEADBC40C66AF39D3871
                                                                                                                                                                                                                                                                  SHA1:D090E63810691F78F760E55640B81958BC715183
                                                                                                                                                                                                                                                                  SHA-256:4D6091013BF285AF05D901BA130E86D8CEFDB4E387540C3814929C1277C2DDF8
                                                                                                                                                                                                                                                                  SHA-512:AB43966CEFC08A8FE9B7A1787948F55A73B243CA6DE7259FD42E5BD4ABAE61D562C9642770708BA38AB6118D3755741529ED51E7DB2A8A811BE8B876F2922A8B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):95280
                                                                                                                                                                                                                                                                  Entropy (8bit):5.998846079851237
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:GiLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv:LZ0PMcjrgv
                                                                                                                                                                                                                                                                  MD5:C6339BD38794C9EB831004955DE64D16
                                                                                                                                                                                                                                                                  SHA1:EAE04876F94347538735F853B7F14778CB75180F
                                                                                                                                                                                                                                                                  SHA-256:855D0323807390D8F499355D0030685FBD6DC6939218A15059CB3E9C744AB1A4
                                                                                                                                                                                                                                                                  SHA-512:F62F76F305285F1C206AEFB8418E48BD2074DEC768C16986353305F34D17524E9A9AEA29AAE11B0D927247161F21039933B3EA68F2BC7F40623B471E123B33F7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ...............................+....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):51760
                                                                                                                                                                                                                                                                  Entropy (8bit):6.408406581403349
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:hQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCl5E:h9MYn1seLE8JFMLcyMH7Hx+E
                                                                                                                                                                                                                                                                  MD5:7F8418A330DA75F653CC1A50F0B91175
                                                                                                                                                                                                                                                                  SHA1:7448DCCCDB8FBB1CC827FFE4861C7BD529EE85F5
                                                                                                                                                                                                                                                                  SHA-256:BF780EB84424039CAB84C818D21A402369EC1BDC9136E1CDBB60486343A07723
                                                                                                                                                                                                                                                                  SHA-512:3CAC7066B3F210D826383CA000CDC581C0CA193800C97F2F34C6139BB4880A12A485604344EF22BADFD4609F2A0E7645E81DECFA8C5BF8C6DF4406BFEE6DBFDA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):354352
                                                                                                                                                                                                                                                                  Entropy (8bit):6.1536791121281995
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:4r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYyD:4hpp9xxIBeXGfvYyD
                                                                                                                                                                                                                                                                  MD5:697D8BC281B58B1FCEEC721B9BC01059
                                                                                                                                                                                                                                                                  SHA1:DA468B41FDADE096896B6835645DEFF110F438F5
                                                                                                                                                                                                                                                                  SHA-256:82C4EFE948B812C844DE4950130C292CDC49EDA42F447E17DE6CC451A1F5135E
                                                                                                                                                                                                                                                                  SHA-512:95877A2E690E083B256F71E376BE757FA0D329A6AAEC193461D325C63867BCE9E72A648EDB17A8817198C5224853541C65F664A6FFB966AE35D9E558F681EF46
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ...................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):883760
                                                                                                                                                                                                                                                                  Entropy (8bit):6.071511091364285
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:m1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ0:m1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                                                  MD5:1A5AE803BFFDEBA6B4D9825233D1C23C
                                                                                                                                                                                                                                                                  SHA1:E324D9B2F417F46FE3364658429B620BC5942322
                                                                                                                                                                                                                                                                  SHA-256:2BED7E5890D572E41770C422C25CF11F0D3C2D170C5F38F8EB1535E1A3E614C6
                                                                                                                                                                                                                                                                  SHA-512:D8DCB1E227AD001A2F43C9847E0A22D43DBE7021814AB88DBD168092A3C172D17CB69848F743166E755DB771B55025664C0E53580B9E48252B1581AD281E332A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................q....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):702512
                                                                                                                                                                                                                                                                  Entropy (8bit):5.943194897994663
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:3f9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH3:vXNL2PVh6B+BzjmcX
                                                                                                                                                                                                                                                                  MD5:F78DB2C6B247E0FFC215A44AE88178D8
                                                                                                                                                                                                                                                                  SHA1:12FB14AE1CF731115F07076AD939A2ACC57A9920
                                                                                                                                                                                                                                                                  SHA-256:1DFF434970F52326AA5E0C1164AB76A771A1EE651E37166DF8A3BC3F06204746
                                                                                                                                                                                                                                                                  SHA-512:AF3F67FA56CA89111E389DE17F9030D979827E8B60AF86E991115B07759D6DADA1B74ED870B5163474192BF58A5FA69EBFB03DFCF087EB88E1E72EC26BB578CB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):285744
                                                                                                                                                                                                                                                                  Entropy (8bit):6.190004154231823
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:uZAWecOmop6I4A9YzsRuBeXirS9/pcRykxxNKKV6S8mSrpsPngH:uZeZ6ANRIru9/pcMkoKV64SrWA
                                                                                                                                                                                                                                                                  MD5:2CD03F275D3BB90B106632F203DCAF64
                                                                                                                                                                                                                                                                  SHA1:025C716D6B123FA03DC9F97D4BF77D4AF20B75AE
                                                                                                                                                                                                                                                                  SHA-256:B90619EBE88644BDA995505BDE5D5E282403E27FF7A55E273CC2FF9ACC88300A
                                                                                                                                                                                                                                                                  SHA-512:321660D33F6126077D4DC04AFBB341B9D46D07E2B38CF45F1C7B2C8B60A58A3F008390EE6F8B6995BECF4B0EADF66C9263D4BE67C8269F9A0851207650B9632D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0..*...........H... ...`....... ....................................`..................................H..O....`..L............4..0(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Hd......................LG......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):284208
                                                                                                                                                                                                                                                                  Entropy (8bit):6.117448325022863
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:/ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xH9:Bgo0WPVTXgd
                                                                                                                                                                                                                                                                  MD5:BF59A9BBF620C0F06ED79180C868FCE0
                                                                                                                                                                                                                                                                  SHA1:2E8F9EF7A105A951790344A3B9ADC61DB35ABAAD
                                                                                                                                                                                                                                                                  SHA-256:CEBDB552DAC9E136F87E37A461B7683934F00AA2A74FBA15BC53ADFA38F1B79E
                                                                                                                                                                                                                                                                  SHA-512:C472376BD7A0E532CB8FDDA7ADDB00FB973D30F97368460929E8352C16BCB17EA92264C81E1E1E084566172ECE3D1513073D24B01990A808335D0C040039C6D3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................\.....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22064
                                                                                                                                                                                                                                                                  Entropy (8bit):6.678227546122444
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Xy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqq/dW:XuhMaVmzDC67EpYinAMxCwk
                                                                                                                                                                                                                                                                  MD5:181F16CCEBD4B02ACE42A02CC536ACA9
                                                                                                                                                                                                                                                                  SHA1:84795DA0255E288C96AC64F1C8150E81E0289FFD
                                                                                                                                                                                                                                                                  SHA-256:80582DBDE89A6D9906721AD27562C7B2BEDE7048E4D461828D3BA2C4438E58E9
                                                                                                                                                                                                                                                                  SHA-512:73F93A3F4538FCE421A453B5A90AC662CC58D5A846AFECB8E337F33A1D643A81C8D02F5F3AECAE4CF00828A3103C63614F086E92ABD262317B13CF608784D72A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):51760
                                                                                                                                                                                                                                                                  Entropy (8bit):6.235108733243218
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:bzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWC:bzpjF0/t043e3vggr83jMYa/hU7HxVJU
                                                                                                                                                                                                                                                                  MD5:30BD9DF0841299E8FA11340B83A441B0
                                                                                                                                                                                                                                                                  SHA1:36447785062CB3DFDF9A1E03548EFD348760458F
                                                                                                                                                                                                                                                                  SHA-256:801BB92AA7A8840148FE548ECE4B7291C0E4FA73712FE2497074C925ECC906B9
                                                                                                                                                                                                                                                                  SHA-512:830B821EE5BF401A6B95662EE191FC8BF08BF64D4D8BFBDB0E142D303AB241C41C4134883C0851B4D5DAF49F598454CE33595787C7084B4F9504794D9B07E54B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138288
                                                                                                                                                                                                                                                                  Entropy (8bit):6.179673461309118
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:MP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ily:Mh0qjC5RMOHO420kN1Z
                                                                                                                                                                                                                                                                  MD5:37C069A058DC803C83C43DF6681907DA
                                                                                                                                                                                                                                                                  SHA1:ED522080452C472560A74F4B979BDC5CFE1643E7
                                                                                                                                                                                                                                                                  SHA-256:9CD89ED91343ABF19DEF9EE1809AC28765EB3D63E5597583D3D183156D8B3C62
                                                                                                                                                                                                                                                                  SHA-512:1F38E4153FBFF9C996C3348A325AC3E9B43118D97F5E51B1099D09C61BFC4D772ADE110603D479403317AD76AD42F494E55A58E278F825EFBFA6E1ABEE246929
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......!.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17968
                                                                                                                                                                                                                                                                  Entropy (8bit):6.674524887219165
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Hh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBr882HW:Hy9eEpYinAMxCAT2HW
                                                                                                                                                                                                                                                                  MD5:3D126403FBA7BC6FAC6E6ABF5FCE09E8
                                                                                                                                                                                                                                                                  SHA1:70B60D649EB174C109C0A6DC873444473D956694
                                                                                                                                                                                                                                                                  SHA-256:D2B815734C2683E7759DEEA3019FCD2B19F5B879CFA3BA02620619DBCAF73E38
                                                                                                                                                                                                                                                                  SHA-512:BC0D56E79471051228DB678AC686BE96BEA6697C2376AE28574EDBAD52CF827AE720A7F733B6FE96B2757610771137B6E6A6CF86B787128136D17B232F09569D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................R.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):27184
                                                                                                                                                                                                                                                                  Entropy (8bit):6.335679732582514
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:Qn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCF:QnvXYcIh6yFIFBYpc47HxG
                                                                                                                                                                                                                                                                  MD5:14C4B9D7E63166E65ECCD9A74A55BC4A
                                                                                                                                                                                                                                                                  SHA1:C1F849748FBC76EC9BF9BF934135860242CE1928
                                                                                                                                                                                                                                                                  SHA-256:83BBFBEDA8EFB1745ECDDBEE0FB16ECAE1E6524461FE075B90C700E34C78498F
                                                                                                                                                                                                                                                                  SHA-512:C2774C72B62148FFFF05B2714F4720D212F52F740812D307D683D66709D77FD06F325A4DB25D952B9B2CCA5A1DD60CEDFCBFB6420FA5CE1A81B9D711395671A1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):73264
                                                                                                                                                                                                                                                                  Entropy (8bit):5.95485496879401
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRY:67N1r9KGI04CCARLY
                                                                                                                                                                                                                                                                  MD5:B742B57BE990E57E0D079CFAF918E086
                                                                                                                                                                                                                                                                  SHA1:00652CB0AD4ABCE039397AF2308B2D6D251A2B09
                                                                                                                                                                                                                                                                  SHA-256:8929394DD35DBF2592AAE46E1063D38D782122F2A7F6A0248A754817E4394823
                                                                                                                                                                                                                                                                  SHA-512:2CD15A7F0626AD3BBA10431AEEFEDE1A195987BA609EC01A51083EEEF11DA516FF4D0678451372106A27A66E013A1012FB00E74CB4F4125C7F451559DE326908
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......4T....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3585766
                                                                                                                                                                                                                                                                  Entropy (8bit):7.9999279847863685
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:98304:XOzuWD7XM4OvRQW56YWuCrMXa7ANNBvlXWKCI:XauWD7cjGKWuyOr
                                                                                                                                                                                                                                                                  MD5:E010D1F614B1A830482D3DF4BA056F24
                                                                                                                                                                                                                                                                  SHA1:5873E22B8C51A808C06A3BBF425FCF02B2A80328
                                                                                                                                                                                                                                                                  SHA-256:98A98DD1DF25D31A01D47EAF4FA65D5F88BC0AD166F8F31D68F2994B4F739A9B
                                                                                                                                                                                                                                                                  SHA-512:727877929530E08062611868FD751D1B64E4C7D28C26B70F14C7CD942B1AE1579CBA2A2EF038BAD07032EF728AE277963FFB3E1AB7A5C28351326FABAD84DAA6
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-......6>Y.^.S........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0........p........_L........v.w.../.E..l1.=.8..F.....|..%J.....QB..+.C#.(...Y..*FC.j./.?..#WJ.T......3.P....7^p5.g.`.. .m.h..U..(\.OlC.U...,...l~..Noh.q....Ai.'.EuZ..!z..5w4..&..4..b.__...7u..^.Wv.1.:.|....}..I....F..W..Ko]_j.mk..v..-....CW.....%x....&...o.:I.~.C..#%S..U...f$..n.........WE.....>...d...._M.|....(..?..i. Z.d......{..C.P....57.QR...._iN...r.t..IG..tFs..r.%..b.I.C......`Dd..8U.h..T.C..q....7.i.L..S!m"..).s."..H....W..b....X.l.C..'..#M....gB}k4..{K.&..s.<.^..Q....Q..c..&..BO..W.".\...!.CR..,o<.X>....,.-.[.^1H^r.)q. L..#.?...0..j.,r.`#..Rq"K/.B.:.....V...hX_..ja.........[.)&....C...../../......IZ2..v .@G...*F....nf. .@w.9o.,.....X.i.K/.}\!..7.a.w....:.x.$gE..DG..V...t...K...M.$...b..{.u.4..1..]."..o.n8dQ<...q.....d.(..Y...U...../n.....*y+..%.+.D.}W.&&.U.Z...c#.mU(.......d(.......x....r".g/O.....5..|(p..XG...'7].3.A.Y.&.&D$.".|...D..d\.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):398384
                                                                                                                                                                                                                                                                  Entropy (8bit):6.2554691460003795
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:OLrnDNjiDx+xdShTv/51LtpYbgPuXhN2sHY:OLcDx+72/51+cuXhN2Z
                                                                                                                                                                                                                                                                  MD5:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                                                  SHA1:11AE92FD16AC87F6AB755911E85E263253C16516
                                                                                                                                                                                                                                                                  SHA-256:01F464FBB9B0BFD0E16D4AD6C5DE80F7AAD0F126E084D7F41FEF36BE6EC2FC8E
                                                                                                                                                                                                                                                                  SHA-512:540D6B3CA9C01E3E09673601514AF701A41E7D024070DE1257249C3C077AC53852BD04AB4AC928A38C9C84F423A6A3A89AB0676501A9EDC28F95DE83818FB699
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../............"...0.............2.... ........@.. .......................@......<.....`.....................................O.......(...............0(... ......0...8............................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B........................H........0..d.............................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1459
                                                                                                                                                                                                                                                                  Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                                                  MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                                                  SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                                                  SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                                                  SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhWQn:WZn
                                                                                                                                                                                                                                                                  MD5:5796D1F96BB31A9D07F4DB8AE9F0DDB3
                                                                                                                                                                                                                                                                  SHA1:93012724E6CC0A298838AEDE678806E6C0C6517D
                                                                                                                                                                                                                                                                  SHA-256:A90D255CCE3B419641FA0B9BA74D4DA464E0CE70638A9C2EBA03D6B34FCA1DC4
                                                                                                                                                                                                                                                                  SHA-512:890112DDCB3B92B739C0DD06721EFA81926CE3AAB04C55CDADB8C4E6B7A28C9796F08F508249DB189547DC4755804AA80CC8B104DD65C813A0450AAD2CDDA21C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=37.8

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):102448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.190879178656762
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:gPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxm:g2bYbYSWd85I5sSakFQhHL8g
                                                                                                                                                                                                                                                                  MD5:A86884A9A1C75604B2114E09B738FCF9
                                                                                                                                                                                                                                                                  SHA1:A82B444BF09CFCAE36F532C4EB4B8C5EF0933F6A
                                                                                                                                                                                                                                                                  SHA-256:EEF751E3B01C4071A1BA34E96B663E93631C51485AF31055C3EB2F75866F9FEC
                                                                                                                                                                                                                                                                  SHA-512:4B97A3D4C37129440816D0524CDB1C485AE68B6C6735857C157D7EA76ADD91241B7185C831C646713CFB4DFB3EC95E577F98088D08ACBB0313837CA584474299
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):95280
                                                                                                                                                                                                                                                                  Entropy (8bit):5.997149012234495
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:S4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87Hxsfn:S4auS7S5Ea6WMcpu8Mn
                                                                                                                                                                                                                                                                  MD5:0E5155ECBE5A1797644F1610DAA15583
                                                                                                                                                                                                                                                                  SHA1:89677E0F9443D52C73D4E0B91C5AEE5215EC4E88
                                                                                                                                                                                                                                                                  SHA-256:9BAF23C814DD100B2AC9511C9A2E5302DEE1FFB1807DEA021E1D317BA36901CA
                                                                                                                                                                                                                                                                  SHA-512:3F80A871547BDF47F0A5B58F54B9597D0894580FCEE8F53DD08C8A80658697FA9C9426AB8D47A40B0CDCF53D11769C654D26A3B530AD39A3A6E37D468CA309D3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................d.....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):75312
                                                                                                                                                                                                                                                                  Entropy (8bit):6.240342116807372
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:bu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYM:iF+qo7mDEwj4NXLGcfgruFcg7HxRM7
                                                                                                                                                                                                                                                                  MD5:F64746D633211D129AEC5DB988BCC9B1
                                                                                                                                                                                                                                                                  SHA1:78E7047265B0DF15C54FE84261D2A0B3568FEF31
                                                                                                                                                                                                                                                                  SHA-256:9EC285FDB857D5618FBD794464135BC56823B08146EA41F24FCEC3135F0E1C0B
                                                                                                                                                                                                                                                                  SHA-512:31BCE8F3DC415F562354044BA490A9252E6C20CAA38D5162AB3929111566BCA7E97D609EACAC4712E814AA8AACFCB7B32360E4F6EE5521D6223DCC4617A5614F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):51760
                                                                                                                                                                                                                                                                  Entropy (8bit):6.408313907878965
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:RQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCk15:R9MYPJS/16/E8/3A+++bF7Hx315
                                                                                                                                                                                                                                                                  MD5:1CAB625AAF9CBCAB46B1455BCA45EF4C
                                                                                                                                                                                                                                                                  SHA1:274A3B9134AA4530110F29C1858A85D86D4A396D
                                                                                                                                                                                                                                                                  SHA-256:1CB4C57049F47E3EEFB1C2BAB2BA34A17ABDA610DC3D4D331A9B33B40B00307F
                                                                                                                                                                                                                                                                  SHA-512:BF4A53BFB9DCF13C87ED6E79640371908C73E7D67765B724C509B4EB7F3F66962F0883094640497CCD2FFCD255D1E46A50B33850E8B0B2D1CC684D40DE24F5D7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):155184
                                                                                                                                                                                                                                                                  Entropy (8bit):6.247374284901675
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:A0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+YkY:1P80zukOltwW9
                                                                                                                                                                                                                                                                  MD5:12572F87CCF0E40406B3554A1A6D3905
                                                                                                                                                                                                                                                                  SHA1:C9E238EF065D38400D084265EE056B2ABB694224
                                                                                                                                                                                                                                                                  SHA-256:6FDB589EBADF91A869EAA3A850B0FB17A8AB96BED78422E28F7EFAF63BC040F9
                                                                                                                                                                                                                                                                  SHA-512:D397888AACB1B787662B1678A24E24DDFA7A42C5363AC673706934A1A42E13F5ED55956D478FAF0998C77891A64F5F26E85DCFA7FFC0A6AE87DF26B3C24C4314
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):215088
                                                                                                                                                                                                                                                                  Entropy (8bit):6.030878409231256
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:x1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sA:YIzm6pOIgvr75
                                                                                                                                                                                                                                                                  MD5:44EBFB8CE52A4EFEDF07DA6875CA230E
                                                                                                                                                                                                                                                                  SHA1:824585DB12A35588F25C0CC5DA77EAEF94011CAD
                                                                                                                                                                                                                                                                  SHA-256:292F94823959CAFAAA77B81C0A490EA9ACF90B2553727BF3E74C1AE3A7F8AC01
                                                                                                                                                                                                                                                                  SHA-512:89DD6F5E827A9E23A8F7DBA8F89F55F2A01B290756AE7A6371A5934E9AFC6B3C5702DC0CADAB061405AEA4F2AC275902D8094E7A0ECDA29C8A438C6BCE46ABD0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................`.....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):354352
                                                                                                                                                                                                                                                                  Entropy (8bit):6.153589479592355
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:Qr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvY2:Qhpp9xxIBeXGfvY2
                                                                                                                                                                                                                                                                  MD5:53594510735A737A2B25AF4B396EFE8F
                                                                                                                                                                                                                                                                  SHA1:3F4664E88F44BBDCA29AFFB78D866A76ED128965
                                                                                                                                                                                                                                                                  SHA-256:DFBBDBA40745B2FCDEC5973D1BB0352DD8618996A6231411C48D87D11C63D07A
                                                                                                                                                                                                                                                                  SHA-512:D9EBC5B83D8727E596EA6A72C49F58C5CB2BC02EC24B432709BCAA7C1C49E267F85520315EF644EC75DC24E3A5D49F64292A295822B27EDEFF452F552D8B89AE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):883760
                                                                                                                                                                                                                                                                  Entropy (8bit):6.071511083932349
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:o1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQs:o1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                                                  MD5:286642CD396C5B6CADC906B112B493EE
                                                                                                                                                                                                                                                                  SHA1:CB625FDBD26798B3042BC5CFFD010F4E73CDAF1B
                                                                                                                                                                                                                                                                  SHA-256:004BF709595E808AE59558AE7510A40277B7E31D99A5580B0E07F136EAE09130
                                                                                                                                                                                                                                                                  SHA-512:49773E5AD432F893C559308DA144596CE1DFB967DB5FCFB1805528CC7535E70A181ED8801CAE43A47B58656C9925A236B06A4F2C67802A1A875A3DCE3C9002DD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710192
                                                                                                                                                                                                                                                                  Entropy (8bit):5.960469418569573
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:2BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUD:2BA/ZTvQD0XY0AJBSjRlXP36RMG6
                                                                                                                                                                                                                                                                  MD5:B61A163EC8F1E6A3A3572A90BA23F7CB
                                                                                                                                                                                                                                                                  SHA1:467FBA9F1C171B58B76F4E9E24ABA1CE5C91D02F
                                                                                                                                                                                                                                                                  SHA-256:87DA900259BEA3BB65D984FB6FCD3134661E3EB0883EBF24981D50CA5D36F51A
                                                                                                                                                                                                                                                                  SHA-512:87EADB61D95EF67CEA0EC8CF15C2E285AFF8C92941ADB47DBCE6886796DE45B4940EFA803D2A9333FADD09473E1B1A34660042D12562FB07EAF4A59C401244CA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......n....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):293424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.121629065121692
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:admT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yB:adc7N/WkQHr64B
                                                                                                                                                                                                                                                                  MD5:3362FDB62A7980CA70C44B4DBDA5BE9B
                                                                                                                                                                                                                                                                  SHA1:77B328FD868E9BE19165C39B541E815BAD1FE13F
                                                                                                                                                                                                                                                                  SHA-256:A6B74A797384F89B692F2E1027A3F73B4FAD2A97914208158869A33068132A1C
                                                                                                                                                                                                                                                                  SHA-512:D0441E5C747707434C02A64E8FF3A49EDF33CFF2C9D22F2C22E8BDFEBC30A3CDF79B2ED96B8ABD819ECD042876BAA77C32E119EBB05BA0ECAC73DFE2BF971E86
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................k.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):277040
                                                                                                                                                                                                                                                                  Entropy (8bit):6.190725872261733
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:ISOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYl5:XuQlBAMW0BvltxZ66
                                                                                                                                                                                                                                                                  MD5:66C97A4217593113658977F5AEFC18D8
                                                                                                                                                                                                                                                                  SHA1:A7E4FF9BDB3800C1E93A0D521B53E344A10699FF
                                                                                                                                                                                                                                                                  SHA-256:9AD65CC593BFC60815124C6377A8F3EA4F031BCA01C688FB543B50A2B6418764
                                                                                                                                                                                                                                                                  SHA-512:D2A474718A38AA0EA738200D7584A5C21552DC76428176026C5509AE606FEA534F4AEABEDF93D5BAE5735754D82B2D93E4CFB67BCFEA9A435147D7BB4B1F0722
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................?a....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):284208
                                                                                                                                                                                                                                                                  Entropy (8bit):6.117308680869445
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:QZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHe:Ggo0WPVTXg+
                                                                                                                                                                                                                                                                  MD5:A6D30251ED124D7656F523A7DF177D09
                                                                                                                                                                                                                                                                  SHA1:48092D267E067C1967B5ACF1AEBD9A18F0B91515
                                                                                                                                                                                                                                                                  SHA-256:EC81827B885C0B109AAA3882469BB41D26871274B2E39D3B227FBD18858BF6A3
                                                                                                                                                                                                                                                                  SHA-512:466809068B5813AC5531D9E5C76BA080A3A15B0D1AFF2A7187149CD5366D990DFD07DF1D51EEB8FCC656ED5C2D1C099AC32E0416F219FC38B64BD1A2351EE502
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22064
                                                                                                                                                                                                                                                                  Entropy (8bit):6.677526036924594
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:gy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOq9tH6:guhMaVmzDC67EpYinAMxCQ
                                                                                                                                                                                                                                                                  MD5:8F678B241B955CF86CF65136ADE90539
                                                                                                                                                                                                                                                                  SHA1:DFD92464B9C5D6822062721C7C3497CD30850CC4
                                                                                                                                                                                                                                                                  SHA-256:15F8EEDC717B18D1A43BB3295BE6787E0DF002C284A06A4B9198851BCCFEB7F2
                                                                                                                                                                                                                                                                  SHA-512:482E6E33F22D7DC68D075600E3C6131A0B563796E34BEBE6352BE8455BD4ECC72F7B682C3E203FEE9CED67C78B60A96B58037CA7499D4F0F86E0B33AB836F048
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):409136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.098204637389941
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:bPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc17:p6heZBJm333M89QA+
                                                                                                                                                                                                                                                                  MD5:5B3639406ABB5AD7F16A90124B708862
                                                                                                                                                                                                                                                                  SHA1:466DB9D6BC5F2A8EB205E5F3A7F2EC8C52809597
                                                                                                                                                                                                                                                                  SHA-256:83717328623F05F5987DC258332BCA21C1F2858B7CE6B834AF5DA687B0948847
                                                                                                                                                                                                                                                                  SHA-512:F10717408E0140C8DBEFCCE9501CF03B86CECD32F2B55770879C28E21D793E45BD8B7EEED52E56E3386000A7BEEF7F0BDD05EBEFF99A44D1056512F48063F71C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ....................................`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):51760
                                                                                                                                                                                                                                                                  Entropy (8bit):6.234968936412768
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3zpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWu:3zpjF0/t043e3vggr83jMYa/hU7HxVu
                                                                                                                                                                                                                                                                  MD5:BDFEF14C7A661E237F27B79E4FE950F6
                                                                                                                                                                                                                                                                  SHA1:83F7DC1950211EBEC2B326D0778E6A46781CF892
                                                                                                                                                                                                                                                                  SHA-256:689AF98555A3D5A36FE8841AD39F9196F60A6A5400A8CF41E6E0997F47E675F1
                                                                                                                                                                                                                                                                  SHA-512:1E698E4E1E6108524F48B6ED7720E0EE239679546FB429F415A52875C8FA0D5C0B2D8C3EE6F523D1B7E875D1FACA83B6A0EB5B62C0DAED414BDCB36FE0D5C043
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................b&....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138288
                                                                                                                                                                                                                                                                  Entropy (8bit):6.179921646668756
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:YP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ils:Yh0qjC5RMOHO420kN1X
                                                                                                                                                                                                                                                                  MD5:8DDC05CED2922285C9037C7D503A86AA
                                                                                                                                                                                                                                                                  SHA1:AD66BA39BE8639D86877B515A68EC3D7AD3E7753
                                                                                                                                                                                                                                                                  SHA-256:30D4499D9F96D1B081C5A8B5F9D9792900DE6767243CBEAD81F6244C33C799E0
                                                                                                                                                                                                                                                                  SHA-512:6B7E9AC11076C4FAEBF6F51610023BAF0F513DD0680CA2A07DA9AE5E6F6AC42EDBF8CA8F9ED210AC5F3C7D280E8ACBBDAFA4C6916ED2003B9D94693587EEF656
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17968
                                                                                                                                                                                                                                                                  Entropy (8bit):6.676696708568243
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Th06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBVmh:Ty9eEpYinAMxCAy
                                                                                                                                                                                                                                                                  MD5:2D491883E24603B382FDAD8840272070
                                                                                                                                                                                                                                                                  SHA1:78C442E11EA0B9ED3BBD09B19E6A18CC559CA58E
                                                                                                                                                                                                                                                                  SHA-256:EDF076BA91F6F5A808879D94A586D1BF78D5D0C8FDCD5399DE36FB6389301886
                                                                                                                                                                                                                                                                  SHA-512:0790CA5BB187AEFE4E5785C528C68E55EA4AFD642101A77A1D983599BC42AB4423723E910A0265CD9A5D3C7DFE0C9E9794DD6F6E8228B488A384647643C09C79
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................w....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):27184
                                                                                                                                                                                                                                                                  Entropy (8bit):6.332801634669375
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:kn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCr/:knvXYcIh6yFIFBYpc47Hxk
                                                                                                                                                                                                                                                                  MD5:B62DB814A8E1C5C8F4DE32F142D7709F
                                                                                                                                                                                                                                                                  SHA1:DB5998A9C785E77A1152145615213EA31E06B289
                                                                                                                                                                                                                                                                  SHA-256:F3E5DDD22B8F044C9B45D99762F2A339077790AB049C1AAB152F70BC7127466E
                                                                                                                                                                                                                                                                  SHA-512:0F7DAE5AA68ED86A574F70478F99458C4A52B1913D232B20A58045EB1E49C83B9134DD90335FBCBEDEECF691EECE5A137FE06FF9F2F6B9D0607FACEA2C0D7C5B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... .............................../....@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):73264
                                                                                                                                                                                                                                                                  Entropy (8bit):5.955263962444665
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq6L:67N1r9KGI04CCARLq6L
                                                                                                                                                                                                                                                                  MD5:F0A06E07C21B485434202D325B3AA058
                                                                                                                                                                                                                                                                  SHA1:6E4A0A572E3CA5A5B23D4633CE63300E3BB39658
                                                                                                                                                                                                                                                                  SHA-256:955FD5B1B046AFC9E62E2D0CA4698818FE1357EA764977D7A9B4A44C1F657169
                                                                                                                                                                                                                                                                  SHA-512:B398A6A66F184193CFA635D6B5DBA9ADB391782F2A82F4609ECB161A4340DC41C82F22A98FEB69F594B7DDF9FB677711BE1FBFA4D796146550E92D22DCA14D15
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 12, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 12
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):49152
                                                                                                                                                                                                                                                                  Entropy (8bit):0.5546621225470328
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:TsFu5C4OZUlFJNGdNGveXXQXN+5NG1Z21ERb8W/Y0:2u5C4OoNSN1eN+5Nm21Ep1Q
                                                                                                                                                                                                                                                                  MD5:B3486366010B72DC34A62CDEBBBD334D
                                                                                                                                                                                                                                                                  SHA1:410C2B352FDBB28DA1E6EF712293CC73E1410DF9
                                                                                                                                                                                                                                                                  SHA-256:2BA56FA39993D45695DD4048967971B5A938C631632049BE97524BE951458767
                                                                                                                                                                                                                                                                  SHA-512:D00A911CDD3A3A352453AAAF4C08191E6DFAE2A92562E5BB232C46909DB1161FD8D72F18526CF09F115D11023A945F1EA59199688F0F0C4C4B7C0659B7592688
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                  File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12824
                                                                                                                                                                                                                                                                  Entropy (8bit):1.3824205832822827
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:7MTqcFu5C4OZUlFJNGdNGveXXQXN+5NG1Zx:7W/u5C4OoNSN1eN+5Nmx
                                                                                                                                                                                                                                                                  MD5:6DA5EE3323742454F2084F4EDC7DB432
                                                                                                                                                                                                                                                                  SHA1:23DFA94972A0EBAD01E6D68DF35BEE391B722DFE
                                                                                                                                                                                                                                                                  SHA-256:9D4BB71F406262C16269D2DB60EC21AB7D9AF0938B4DF802FE327F6D5E47B95B
                                                                                                                                                                                                                                                                  SHA-512:D98FD4AD66E85514C410B9DE7A6900010C57C35E6653ECAE57FA4BDE68386ABB7941EE74A6F2B72DEE4E35881E57C61D8B3C90CA95F8153100C49550C4A41358
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.... .c.......C?........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1799216
                                                                                                                                                                                                                                                                  Entropy (8bit):6.520454988999628
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:GuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFY9:RHmUMohVWpu8ul0UkTgNCfyo3G
                                                                                                                                                                                                                                                                  MD5:CBA9D50085EE939B987CF758C727DD62
                                                                                                                                                                                                                                                                  SHA1:DDC0FAF68995883AC754662C59C4295BB0A64E3B
                                                                                                                                                                                                                                                                  SHA-256:75E47A697A46E31811FAB8C5D9FE1ABA6BA095B6D13DC79A8C848BE308917C37
                                                                                                                                                                                                                                                                  SHA-512:A5F3D1B96535E0B523ECD71DC36FD3AF157C630874FF11DA29066C545114D256B14A5EE2BA725679C4192182D37DF6900AA69ECE228BAFCE909A482DFF43A1E0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................s....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):1475632
                                                                                                                                                                                                                                                                  Entropy (8bit):6.791868709546672
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:TS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8qC:6dwXpQdNVNDQubXyi60jXTW98qC
                                                                                                                                                                                                                                                                  MD5:3B462EFAACFAEBA904109B4FD3FE641F
                                                                                                                                                                                                                                                                  SHA1:6DB8785E94FDC2152895396CB9B3D3945DA5D25A
                                                                                                                                                                                                                                                                  SHA-256:1F9F620D4D7D32670073C335A2DC88A5A5DCFA7A5FF18E914EC6CD8EA983105F
                                                                                                                                                                                                                                                                  SHA-512:7295B1F7E4437729DFDAED5310EB26B5F4A8B96A2B97ADA8F8466712A69946BAADB2588071B51D661F4FD2A6029A2914E3DB73914BD2FE1C74D725F204063EF2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@............................................@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2950153
                                                                                                                                                                                                                                                                  Entropy (8bit):7.9987653712188695
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:49152:sIiDtH34v82VnTxK+JeWJi+F70HLFkIZgblvk/QcMEisjQhmC:WI0W0+J9o+V0rFkMgdAQcMEDC
                                                                                                                                                                                                                                                                  MD5:91453D3E1E2BC9586CF5495073FB3CF7
                                                                                                                                                                                                                                                                  SHA1:09CFA9DC27545FB600DD7A60E44258C511EB43C4
                                                                                                                                                                                                                                                                  SHA-256:5D398C6CE0636EADD4B7F6920DBD6127388F698E9BC1A440CB7DB3992ACB6557
                                                                                                                                                                                                                                                                  SHA-512:462D59453ED01D8DDF54E06319AAEFC0AB5EF70ED7B0A45FFD4D3F049692044ACF0DEE3599173E58A4C281BC69AF63D8B64F9586A1B2F04991ADFA6747F19BDC
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-......z[Y...1........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....(r.......>.......~.}..V..)...i...?...Br......~...x.+W..$....S...,g.m...K:-.E..L[..Z....8~.i.!..+B.....U....~{.x..`...Z\z....16g....'..(.-.....T........e.......D...C..._.-...1...n....."C....V..?D.<........W.....7.x.v.6..fZo..Bl........'..B....[CP.m.X@....KX.#.\..........-;...&...m#._.....0T<.....K..9..3.._....v.m....I.Ez......\..Z..:d.:..eY...e.rS..*..#.JJ5W&!n@v.;.......@.,......G.[.|..<.=\.JW...."1.............<3A...B........f.x...R.W.XS\2.p....U.[.W..h.?AE!..?...>.c.....H<..+..u.~./..:..:....yr.....T..\.5..\D.{..M..1.4../....L..3....|W.J........6..z....0Z.....@S..P.N4....D[........1....g@$.....f........Pfb2.:.n...B...!..+.%F..^.f...F..^..i.W.3j*.}...G.h.Lg...}C....7e....v..l..Y.&....S.J{KqQ.}J.U.....`.w......t.>>~..f._..Fx..:.4.z.wvK9.$H........|.......|.`)..n.'.A....'....gD..."|.+<q7S......f%..oP8....A..RC....._2an.X..Q...H.Rx..^9$+.1...c/Q.p1.....!......

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):29224
                                                                                                                                                                                                                                                                  Entropy (8bit):6.341508215009247
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:NpYIrVWGYPHEUePsnhkgGIW7W8feKWDpQ6bo2dNyb8E9VF6IYijSJIVx+W8W:zTrVL3Ue0FSTuVbo2ZEpYi604W
                                                                                                                                                                                                                                                                  MD5:F9E96C557C427EF212A849BE49F7FC26
                                                                                                                                                                                                                                                                  SHA1:B2065BAEB817946470EEDBD2DB3AB73E169BD4D5
                                                                                                                                                                                                                                                                  SHA-256:701D183ED3150DCD35A601360241AB54C68B54B0AD80EDFA34569746EC76A275
                                                                                                                                                                                                                                                                  SHA-512:4B9A4670665EC93557A3F201995113D0609767B4E0AA105AC1F1CE5AF6262F91FA6F7212C735181A369BD770F66CD7F5D0D2E61B54C1428D9164A7996413D02E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I............." ..0..@...........^... ...`....... ...............................s....`.................................=^..O....`...............J..((...........]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................q^......H........*...2..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2006
                                                                                                                                                                                                                                                                  Entropy (8bit):5.012466327549389
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:327h+1/gF27RgdSagFsg+w3jdgDSg+CagFPr7:K4Mw9cr7
                                                                                                                                                                                                                                                                  MD5:DE33D7BC716E96683CCAEC7E3DECC54B
                                                                                                                                                                                                                                                                  SHA1:6CAC5E2AE17A91F55760F3652DD1D954CFE34848
                                                                                                                                                                                                                                                                  SHA-256:E9EC2DB29E1A7F44D6FAD976E29627E2EBCC1C9FD1797D56A69106260B70B65D
                                                                                                                                                                                                                                                                  SHA-512:353BF5BC4E47C7218CD3EECEE83301950FAA7D48644BEA3FE2F47B5AB432D43B466EBCF8E1A1911923EC423D30682A8FA42A3EA878E7D85C8E91EC841543B887
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):200744
                                                                                                                                                                                                                                                                  Entropy (8bit):5.749226305007416
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:w6+fUrAluLy/Dy23JLbcc0FIE9cAT2tl/g2rPdniqiTjXLRgiV12:XbrZb23JLbcBFIB/JLFiqiTjbRG
                                                                                                                                                                                                                                                                  MD5:5F782D0CB0F717AE9DFD1B4DA1295F15
                                                                                                                                                                                                                                                                  SHA1:B33575E428E19940F0585C747E054CA70A12D454
                                                                                                                                                                                                                                                                  SHA-256:0F233BD5FE96CF5F7EFEA0FA0634F98C37A3A095F72ACC79A3544590BF228B43
                                                                                                                                                                                                                                                                  SHA-512:E373BE20E06F31F81A8C0368E8FBEE0BD7E98095A6E1F85ECB8969A35CAF32E22194E2448DE9213BB86478F454E708363EA6AB990648422B57F057A0516959ED
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]............"...0.................. ........@.. .......................@.......U....`.................................C...O.......4...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B................w.......H............$............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1780
                                                                                                                                                                                                                                                                  Entropy (8bit):5.027025756159462
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:3rrL7h+1/gFSagFsg+w327RgdSg+CjdgDt:7r34owoR
                                                                                                                                                                                                                                                                  MD5:09CDFC3063DEC485A3C48111D5CEE297
                                                                                                                                                                                                                                                                  SHA1:02CEFEC66B6B2EEE120F97493D438F3B270AB5CA
                                                                                                                                                                                                                                                                  SHA-256:0ACF70AE533AF7D079F370AB3102B9563CA4C447C5DFC7A20C88AABE04295C01
                                                                                                                                                                                                                                                                  SHA-512:CA39056F79EFC8CE050FCCE1AAC21B2E7B62E65A0521E3CABF90C58A7249107658C2D208706FEC456CCC74D58DCDC22E23ECBAA43684613D4826505A426E1CB7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depend

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhXVLU:WBVg
                                                                                                                                                                                                                                                                  MD5:98BC1C91690FAAB486632504B4053AE5
                                                                                                                                                                                                                                                                  SHA1:CA53F1C78C8300A9081FB8B32CF12A326F4C0867
                                                                                                                                                                                                                                                                  SHA-256:2E15A9CA4C56145F6E9E57F0A2AFB1435EE2C26DB84157812EB81C87911D2744
                                                                                                                                                                                                                                                                  SHA-512:FD3E660B69D987F4F56E3C73569AA73E25DEA8D4B7FB33A8D118CEC6CC7470D36D3A01F00B88E971D01A7901890DDA227BAE8068FBBCD5C5067CFDACDD0DA7F3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=20.1

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):102440
                                                                                                                                                                                                                                                                  Entropy (8bit):6.190075678943392
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:2PAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476wy:22bYbYSWd85I5sSakFQhHLv4E
                                                                                                                                                                                                                                                                  MD5:3B4C86E80369670261C68D1F5BB2AFC9
                                                                                                                                                                                                                                                                  SHA1:E77E028D8DBF603B8F41ACD2F2D75E4A57645FE1
                                                                                                                                                                                                                                                                  SHA-256:D2B782810BA8D8608BDCA858C44DDFDF3FC10C50F7732FA85D3A7F00CB624648
                                                                                                                                                                                                                                                                  SHA-512:983C50BFF6A88F732CC4F0790DB04CE2881F2FC80D5E8D8F793FBB961301F47B6DB722375603862D3E7CDB081C49CA5723E2449260D4286B3E9BD72D85A0F91E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):95272
                                                                                                                                                                                                                                                                  Entropy (8bit):5.99620286041089
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:v4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB766V:v4auS7S5Ea6WMcpuUB3
                                                                                                                                                                                                                                                                  MD5:BB307C07EBBB496EAE96F971B64A21BF
                                                                                                                                                                                                                                                                  SHA1:09A19DA0FBEB2CC3CBF081F554A7D42DC2894E26
                                                                                                                                                                                                                                                                  SHA-256:DFE846B759B22879C93220E28E0DEAD32971844B3EC92DCD4700E0E3FBEC96A0
                                                                                                                                                                                                                                                                  SHA-512:0E35ACF658CE98EFAFD4BD0DA4BE4860B77D84771646D295569F6EF689293205D9BAF858E29EB00D11C815490A12A65DA5A41C855E965035D084029739D235F4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ....................................`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.655242412887192
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:cXh+tY2jNyb8E9VF6IYijSJIVxaFHCcfj:cX862/EpYi600ic7
                                                                                                                                                                                                                                                                  MD5:BFEAD9EBEF84B6E54BD57D5E69EDCA31
                                                                                                                                                                                                                                                                  SHA1:92111F77D5775B3EF3A1AADCC1DB5F46A1954A6E
                                                                                                                                                                                                                                                                  SHA-256:D8D1E6308003DE036BB70B21F75AF7CA75F09ADD46BA61708C3A0802592C61D8
                                                                                                                                                                                                                                                                  SHA-512:3CCDA8E0095B65721C5054402245C0D52C323B94D2FD9E61FE04A812E278872D2BAF896E842794E14CF7ED86C1B33A5E0EE2D223CDF75ACB4DA7CFDFEAA9729A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ...............................}....@.................................",..O....@..(...............((...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):75304
                                                                                                                                                                                                                                                                  Entropy (8bit):6.240768510010967
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:xu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYP:AF+qo7mDEwj4NXLGcfgruFcaD76j9s
                                                                                                                                                                                                                                                                  MD5:6D7FC33F2CBAA36AC49A0E59BDAB72AB
                                                                                                                                                                                                                                                                  SHA1:E2A77AA1C979C0BE322BA0A56D13558DB3A1C903
                                                                                                                                                                                                                                                                  SHA-256:DF56F140B50A1319F578FE9EDC6C4ED377E519A30DFC2A2D53A241F30C83FE3A
                                                                                                                                                                                                                                                                  SHA-512:C20A2188301F1D73327142DBD36C1FAC62116E034B0A49F5D4C23AD942F8642A2FFD1976B0B249B0C0011B04339F912847B381309C94605984BC4EB73D514D10
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`......./....`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):51752
                                                                                                                                                                                                                                                                  Entropy (8bit):6.407474903458746
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:aQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyXXEpYi60i:a9MYn1seLE8JFMLcyXQ76P
                                                                                                                                                                                                                                                                  MD5:1DCD862442C7273B22B1CC318DF9BA51
                                                                                                                                                                                                                                                                  SHA1:154BBB2E1E3D4EC1BE4D75DFD4343CB362B1EA61
                                                                                                                                                                                                                                                                  SHA-256:64665F70B7A692C06570F487C3986C1D73AF507B2A15A52AB0B214F453FA9992
                                                                                                                                                                                                                                                                  SHA-512:80CBDD042B298CE25D0E82032E1B895B08A529D30A96306D8272E7F08FF3944A50C70632F06F803DDFFD0C9147ED83D8C43F8F43AF439A5B81BB3D7233D6D7D4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ...............................e....`.....................................O.......4...............((..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):145448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.2033935785037295
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:gRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhO:09XeDmzV2yzlhKLFU1lLVp1+2flYFnQz
                                                                                                                                                                                                                                                                  MD5:31D90BF6DCA94221D7D81C17E334ED3F
                                                                                                                                                                                                                                                                  SHA1:8C72EB65C23BCCF35F3319B854A8EA56E0E7F953
                                                                                                                                                                                                                                                                  SHA-256:CBFA4444A4574661F12D27E6509682E3E9C746B3BE5CBFE8C794B05F6057E281
                                                                                                                                                                                                                                                                  SHA-512:D5E201F060E0F00FA10E057710B37AA51F76581D3C3FCB1D57974FEA6A140F680E018AE70508C48E5C6BE63E913DDE52294088382D6F1D44D23EA04102BDA8B9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ....................................`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):96296
                                                                                                                                                                                                                                                                  Entropy (8bit):5.6328703738583465
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:a2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhkW76fJ9Q:XQmyxL2L4D+YZL2X7SAaqywjhkWe9Q
                                                                                                                                                                                                                                                                  MD5:13AAE87ECD696247FAC397F045CC7EF7
                                                                                                                                                                                                                                                                  SHA1:69574E2201A5DBF1BB725DA3172865E0253468F2
                                                                                                                                                                                                                                                                  SHA-256:8DE7F96272724EA147FF1CC7544C7349798B3635AE9C9EC5680FEA11228A7DF6
                                                                                                                                                                                                                                                                  SHA-512:256D8ACE98885D5206B2E73DD323413291878CFDB8582E2FE94A31B725ED9681D9BD4371D4178038B5461936A3FBCF22FEB66E600BD68ACF31D9AACC3CEE06DE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ....................................@.................................47..W....@..p............P..((...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):386600
                                                                                                                                                                                                                                                                  Entropy (8bit):6.136008226210181
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:9sETsbZnV4Nsaw8MkaybNq0qJh1rDHq4so8maLvdGCBg/8Q/ZmvEyo:9sbZnMfwWFKFrrWa8BvEyo
                                                                                                                                                                                                                                                                  MD5:5FC49C1DD74CA00CC0A054401EBE93C7
                                                                                                                                                                                                                                                                  SHA1:942CF1D170A81784342DC552D7A4EC0157245159
                                                                                                                                                                                                                                                                  SHA-256:B4643B63E61BE52F6750A9A429914D9ED2488D40CC3EEEF4BE97350ED11387AB
                                                                                                                                                                                                                                                                  SHA-512:CF4C0102B677B401B113C7BEEE14AC1F70A6CCB3D926A50BA7DB55A748D9CBB5A53025ADF2111424492C08AAE44FEA325740ABEC1D4ED912D549FC5786EBCE05
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... .......<....`.....................................O.......@...............((..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......T...$...................x.........................................{0...*..{1...*..{2...*..{3...*..(4.....}0.....}1.....}2......}3...*....0..q........u........d.,_(5....{0....{0...o6...,G(7....{1....{1...o8...,/(9....{2....{2...o:...,.(;....{3....{3...o<...*.*.*....0..b....... ...u )UU.Z(5....{0...o=...X )UU.Z(7....{1...o>...X )UU.Z(9....{2...o?...X )UU.Z(;....{3...o@...X*...0...........r...p......%..{0......%q.........-.&.+.......oA....%..{1......%q.........-.&.+.....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.83462305683277
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:7N9VWhX3WseNyb8E9VF6IYijSJIVxF5WY5R:RGZmEpYi60Z
                                                                                                                                                                                                                                                                  MD5:5FCBC5F2BF666A740409BAC1CD7C045E
                                                                                                                                                                                                                                                                  SHA1:6DB922DBF23EA02B9351DBA4169B0E4EB350BA91
                                                                                                                                                                                                                                                                  SHA-256:E201521DE53052ACD367AD9B3868776E5F061E088446D2D6409420F0101A5AFB
                                                                                                                                                                                                                                                                  SHA-512:906F5E8EB5887DE4BA920367ED75480EF506952E149D2554E618442353CA4B2CDF2684839988345B00C356A2D77213B6B905E68213B445EBCC6D5E75E507B65B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ..............................f.....@.................................T(..O....@..0...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):331816
                                                                                                                                                                                                                                                                  Entropy (8bit):6.168683157071498
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:8BhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTO:8DMUWITZznu85k8Wdn8KmCjIFi3Vvi
                                                                                                                                                                                                                                                                  MD5:750E65DDE7AC14B5920FAA34E9807AB6
                                                                                                                                                                                                                                                                  SHA1:9BA2E717AF511711683CEA7E1A62EC160E350A6A
                                                                                                                                                                                                                                                                  SHA-256:0DB29ECF229457A276C3BB0A02179C09877938C5EC5724352ADA6B16407DE331
                                                                                                                                                                                                                                                                  SHA-512:794C41AB53DBCF9F5AF6AD35DC5ED9C7E2290A160BBD28D1CF2A7FD1351A5410989D3B27B4C9B52325CA4F01A79B485FB07299AFC47C33AB6EFC55A77E53D5F6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@............@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):883752
                                                                                                                                                                                                                                                                  Entropy (8bit):6.071371193883245
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:b1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ6:b1n1p9LdRN39aQZUqX
                                                                                                                                                                                                                                                                  MD5:5BB4618C81652C0FD405001CDB982416
                                                                                                                                                                                                                                                                  SHA1:BFA540860AC3D1D49FB896EE2E177631E43A33EB
                                                                                                                                                                                                                                                                  SHA-256:ED6673853467A267CFF6E4E2E07037F0226A2942D335F59E6A9B3E7E372574F2
                                                                                                                                                                                                                                                                  SHA-512:5D37B663D6002060E191E6A4B4ECED6380349590F2E02910A8460DE5808C68C9BF7AD228015ECFA9A5824BC46B577DD20C094E45D11383BE00E96685B207B7EF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ..............................).....`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710184
                                                                                                                                                                                                                                                                  Entropy (8bit):5.960343834822355
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:2BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU6V:2BA/ZTvQD0XY0AJBSjRlXP36RMGnV
                                                                                                                                                                                                                                                                  MD5:79FF2C67FD3F8A73B18336167944F91F
                                                                                                                                                                                                                                                                  SHA1:974E824087D0146CD0139DD6C515F7A769552934
                                                                                                                                                                                                                                                                  SHA-256:D77ABEEFC22B5E0B6904AD2EB8D0D82B9A6611A47DF60EDA3B62436203734061
                                                                                                                                                                                                                                                                  SHA-512:35C8DFCB95EFB9D7EF2D24D2A08DAC244161326F7AA1290F37B40CBAA0580C1DCDD0434D53D88E362EAAE91ECE91A968466151B90D05A77C124DAA4DB77777E9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):285736
                                                                                                                                                                                                                                                                  Entropy (8bit):6.184394295423341
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:LZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zvk:LZU0BJwuOcrl1w7HX3HWJ
                                                                                                                                                                                                                                                                  MD5:E9622BB406B5CC041DAB8042402838CC
                                                                                                                                                                                                                                                                  SHA1:08DD86152507F8381E92AECA2BF9F92DF445FD78
                                                                                                                                                                                                                                                                  SHA-256:27B83B19EBBEBB69297D7C071CBFEEC3CF5825A7669D9844C1F5C03D32F221CC
                                                                                                                                                                                                                                                                  SHA-512:6D495D15BDC165A09712578D1BFE8B11DCDCBD7A71282F0B892BCE07028C3F3DAF19E5FF0A45C1F7CE235325B68280B359559C0DF6434876271B367EDFFEA16C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ..............................5.....`..................................G..O....`..L............4..((...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.557142083271252
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:IAQk7qYbA6fXDpLk5LHAxOEaGxBtNXNyb8E9VF6IYijSJIVxs+8:L1LOg3BtNbEpYi60i
                                                                                                                                                                                                                                                                  MD5:2532E59305E0008E57C2BDD160B3D3C1
                                                                                                                                                                                                                                                                  SHA1:61FDFABA94E32F9C6A6D4C83F1AFF039C0DFB46A
                                                                                                                                                                                                                                                                  SHA-256:DB151AB41076953016567010F1B6D14035EE149DBEC43DA8E7ED4E67DDC834B0
                                                                                                                                                                                                                                                                  SHA-512:207A73F85F14837C844F3B54D87181DFB609FDC4523482ED8DEE24DD9B1C39103FD4DE3B8EDB1ACB4EBCB65211F1959BB1A4EED48C031EC3A30523E9DC3B6495
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0..2...........Q... ...`....@.. ...............................,....`..................................Q..O....`...............<..((...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*.. &...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2029
                                                                                                                                                                                                                                                                  Entropy (8bit):4.997010915207503
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:3Aruz7h+1/gF27RgdSagFsg+w3jdgDSg+CagFt:wruv4Mw9y
                                                                                                                                                                                                                                                                  MD5:A1DB8C019769BA7256F40E580304C782
                                                                                                                                                                                                                                                                  SHA1:6C0D70EE9CEBFC288A88B100F59D5554F8C42A35
                                                                                                                                                                                                                                                                  SHA-256:FC68DEF71CD783C53B3D106317F879E544E3443A55AF195BDD6C663F8051A96F
                                                                                                                                                                                                                                                                  SHA-512:795C141D06E70CD0D91ACFFE74F519EDB78382588B10927D456D20AA70D10BADCF02A626B8B666B00B21CAFCD555F03029D16EFAABCF1D762D58AA8095B6527D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependent

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):210984
                                                                                                                                                                                                                                                                  Entropy (8bit):5.347898606449367
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:8sMNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z54a7c:VMNkrE4AOqcIzQijLC
                                                                                                                                                                                                                                                                  MD5:D9123F80F12ABA0AA0596E710AE8C2DF
                                                                                                                                                                                                                                                                  SHA1:DAF74A60246DBF736CAC318F5113E9787926E3D0
                                                                                                                                                                                                                                                                  SHA-256:C342B88D1BB7BBCE4244262BBD86D439333A339947675192A5599D6FC6B1549F
                                                                                                                                                                                                                                                                  SHA-512:816518573C0409C9DB4DD543BD1185C25E92093E3396D358AAFE4E65BE5BC278B23A8F417C86981120F1E5D9E4330BDCE49058D28BEE11ABCF2EDC5D74F2CBF5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............"...0..............;... ...@....@.. .......................`............`..................................;..O....@..@...............((...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):19433
                                                                                                                                                                                                                                                                  Entropy (8bit):4.9963400212242055
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:hrg4CdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrPOPUDCTHffIz
                                                                                                                                                                                                                                                                  MD5:78AE9CC6C7B11BAC2B18E82FC7623CDB
                                                                                                                                                                                                                                                                  SHA1:8314E6F35448B820C7C703FC3E4DE598D2A51AEC
                                                                                                                                                                                                                                                                  SHA-256:D3841AA3440CDA26776DDE128157294E69A70B21344D5877D640C457353C2DCB
                                                                                                                                                                                                                                                                  SHA-512:CE6A750E75090487C47095B80D47F5AD0C3D3DE4D6EC58A01E14CC694600FEF951AE371DD2A1B82C756ADD66825611B13240DDD3AAE6339ED85DBD3392DED7E5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" pub

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):284200
                                                                                                                                                                                                                                                                  Entropy (8bit):6.117054902542995
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:TZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHv:9go0WPVTXgP
                                                                                                                                                                                                                                                                  MD5:26091035FE3B95AEF02880C0F16EE5D2
                                                                                                                                                                                                                                                                  SHA1:D6BD36B439AD591929DCCAFA6E1FA7FD419BDEDD
                                                                                                                                                                                                                                                                  SHA-256:21FE70B8F2B0D14AF696CC931D2A34A29F97AA003CE9711A7606CCF1562F155A
                                                                                                                                                                                                                                                                  SHA-512:4DC302392B95993FE5E4700B99B6B152CB0BE5DE327720E5CFE71D662DBC475F04F554CE660318D024A32F99CB274167803C01FD35FFA52E0A38129E2012A871
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................`....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.808058508898839
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:mDNxWQFWsoNyb8E9VF6IYijSJIVx5+V772g:mDNVLAEpYi60ix
                                                                                                                                                                                                                                                                  MD5:CB6CEAD1C494643D8BC177A3181DAA46
                                                                                                                                                                                                                                                                  SHA1:28FC5E2823C87ACB25AA28C72E36E8FED27509C8
                                                                                                                                                                                                                                                                  SHA-256:C77CE05A295FE74CC5536BB3067310412E416AB5207C1A147AA3FB0396B607F0
                                                                                                                                                                                                                                                                  SHA-512:A0DA988D2B8909ACC02F33FCB23ECC4D518DC087FAF1D4EC97FBEE9D214DAC3D203AF8DDC36D117403781F3B908DCA3B392E6985B0955504BA7935BD1C665443
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ..............................+.....@..................................(..O....@..................((...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22056
                                                                                                                                                                                                                                                                  Entropy (8bit):6.670261992081206
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:OrMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAUy6k:OrMcXP64LEpYi600
                                                                                                                                                                                                                                                                  MD5:EC6BE562CD6ED413FF0E833A77595A6A
                                                                                                                                                                                                                                                                  SHA1:3D78998E7532950DE013624F79D84B0BDD038E35
                                                                                                                                                                                                                                                                  SHA-256:58A397559EB7450009E7DCEED705386E97403B640E4C2572A2C21ED38ECEC7BE
                                                                                                                                                                                                                                                                  SHA-512:4477A3975C10E011F406849CAD5F178CC621F29797AAEE26E5D9E6DCEB9174FC573CFFA5D6CC216816E142941572CB1F768079CA091532EDFE0C183FCE7C4267
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.903995238231185
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:cm2igOWnW8rW/tNyb8E9VF6IYijSJIVxPT89QpN:EtaJEpYi60w9qN
                                                                                                                                                                                                                                                                  MD5:C27898B6BA04D6A07DC20F956DD5B692
                                                                                                                                                                                                                                                                  SHA1:AB58016F4F33BB28422732254FCFFBB55D35568D
                                                                                                                                                                                                                                                                  SHA-256:B26BCE9C60613EA4C558F37C13C019ED90EE425C0DF34EF46F1394731D123AAF
                                                                                                                                                                                                                                                                  SHA-512:C11CA3B0DAA4BF95D9991743FE42627BE31DF0F1FB7FD1116C29659442AD1A548BF21C08184CF6397DB56E548B09DCAE08ED7C4D387FDBCE06D4AC4A2F638CAA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................q....@.................................t)..O....@..D...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.899076813883936
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:+napn1iwwPWcGWT5JNyb8E9VF6IYijSJIVxagmKJFNt:9Dur5NEpYi6002V
                                                                                                                                                                                                                                                                  MD5:0A6F2F96579FB5DEA09A1D43AC461A1A
                                                                                                                                                                                                                                                                  SHA1:AC96B251758FC588C699BD92F9C295F90390F777
                                                                                                                                                                                                                                                                  SHA-256:64E8FD26982BB275167E2C063FA9B6FD91C867DCFE8F685978C79BE5D56FB1D8
                                                                                                                                                                                                                                                                  SHA-512:17EFE747E4DC387DB0AF3B328F3C039786806FA85D574E94B23F4CCA6A50B9768B37A094A797ADAAB4B4FCAB8DFDA950F0E9B41EB8FE4505A4116941A7E09184
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................._....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.9045106778941765
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:THLaEav5aaUa6arWVLWrMNyb8E9VF6IYijSJIVxg3Sp:aPv5t/NOOMEpYi608i
                                                                                                                                                                                                                                                                  MD5:BC6FBEE698B433A15A5A8677C6E5227F
                                                                                                                                                                                                                                                                  SHA1:70C76DD5825850EB215B7E9070418AEA6ED8CADE
                                                                                                                                                                                                                                                                  SHA-256:1FECD69B9EBAFD71F1DDC6DA55091FB5EAE5C2985901D07B7866F6146AECA31C
                                                                                                                                                                                                                                                                  SHA-512:537A2122AB5E8472BBA4E3FDF5AD20D11852E4456EFE903FDE30B28FA667C4867723B88D15494B2A8C16516050F2DA254541845983EF7BEDF85D016A0B9E36AD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................]i....@..................................)..O....@..P...............((...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.759690943204462
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:S6iIJq56dOuWSKeWukNyb8E9VF6IYijSJIVxHDRxQhpXi:EiAuEEpYi609mu
                                                                                                                                                                                                                                                                  MD5:F140E615371C9918B41BB82BEFC04B60
                                                                                                                                                                                                                                                                  SHA1:30CDA9BCD776EBE15DD6E2A544662B1ED1711294
                                                                                                                                                                                                                                                                  SHA-256:4DD6878D7D30A6BE05FBDDDBDB1D8EBC2B0A3F264DE071069F019F5A47766911
                                                                                                                                                                                                                                                                  SHA-512:612A62533A48D8261D0287448B3BD51F891512305D86899B7E67CF5CB9F0BFF7F6EB4FA0C758D6802BBD2AEE2718B8D4D9B081292DEA285F1A3C13BF9119CE40
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................y....@..................................*..O....@..................((...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.811319806859492
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:vnzz+MpSaLWW0+WCANyb8E9VF6IYijSJIVx1JiCB:Xpui4EpYi607HB
                                                                                                                                                                                                                                                                  MD5:674C7CC18094A065F1AD7C2D70B6DCDB
                                                                                                                                                                                                                                                                  SHA1:62F106B045278CCC693684697B55BD1D6AEC77E9
                                                                                                                                                                                                                                                                  SHA-256:1DBE44461DBBE4E57F9F28FF4B2F4F68E49C2DEE1FB632449F2B3D7046ED2CDF
                                                                                                                                                                                                                                                                  SHA-512:8C7C029227051B60156636CB0B1D93ECD2D64C23E61FF4C104D511BA1ECCCB6374A3AAC5A8A19D3F028391F74CE196FDE257C811B1E6A6BDAAE7FEB577F8A7B7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ..............................l.....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8574566850311935
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:9Ghr+YUfyHxsW/HW5zNyb8E9VF6IYijSJIVxVU5j:ikmcvEpYi600
                                                                                                                                                                                                                                                                  MD5:814CA88031F4742F96F0A1FC023BD1B2
                                                                                                                                                                                                                                                                  SHA1:14ABC123D068A7A436A90AC7575638FE3718FECE
                                                                                                                                                                                                                                                                  SHA-256:6B94B8330FEA4DC6A8B8346C8327F5263EF404A79604DA345E4750B3E577AFA2
                                                                                                                                                                                                                                                                  SHA-512:8EE21783BE3F4087DA177E956427D2FB55BF6A42BD67E55DEEC109FB3A9134C76480D8C5B4434A531E21D46446EDA8772AC4897564BA4C6FCD479A96082F199B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ..............................N.....@.................................<+..O....@..`...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16936
                                                                                                                                                                                                                                                                  Entropy (8bit):6.791342781786458
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:tRE+ruiA5vzWeNWdSNyb8E9VF6IYijSJIVx4XLb:tS9b2yEpYi60Y/
                                                                                                                                                                                                                                                                  MD5:2FF5CA376EC3B22D4C644E0D2EF2C251
                                                                                                                                                                                                                                                                  SHA1:CB44B2A742F07ACA00C81A8E6E974F8EB48E287E
                                                                                                                                                                                                                                                                  SHA-256:518157DDFFAB7B2E4FAA5F35315786FFE78C3ABA1D282A71E8531324C220A7D5
                                                                                                                                                                                                                                                                  SHA-512:0ED9C50322375C86FE1A508302F417B8036C4E14B8665509D1465EB3270CF9F69B2D9D05D12C00503BE1CCD0B059EC09EBC1B0DE0B4344CA7248CBF98AA95204
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ..............................Q.....@................................../..O....@..p...............((...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.849219139849392
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:sT+6ywnVvW0LW5SNyb8E9VF6IYijSJIVxcomX+Q:s998yEpYi60ZQ
                                                                                                                                                                                                                                                                  MD5:A3767F833B7DC371A63FD24BC47EC860
                                                                                                                                                                                                                                                                  SHA1:962EAC5A3F829D0E7A37D357B59784FC2C30D0C5
                                                                                                                                                                                                                                                                  SHA-256:977059230957BD6898054C5690B79770CCAFD001E6530976F4555E943291CB92
                                                                                                                                                                                                                                                                  SHA-512:6A168D4E72B89B65AC385E99D13AA36004A22EACBBDA93D7A933C05191EF9A4AF88A667150E12787FCF1D595B46B5C297521DD8B0B302329FF91CBA938D7E737
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................((...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.847269902417784
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:NRbzriaXT+WlEWe5Nyb8E9VF6IYijSJIVxri+tLZB:P7icodEpYi60u87
                                                                                                                                                                                                                                                                  MD5:D8301ABE51723EA90AC26BEC7107CDE2
                                                                                                                                                                                                                                                                  SHA1:A23A59BF76D2984D83D2151754AFCDE0F8B39571
                                                                                                                                                                                                                                                                  SHA-256:6CDF0F8678D101EE6837283A663E4E57FF0C04E32AF3906A502568F63A2054A1
                                                                                                                                                                                                                                                                  SHA-512:FA46D4A5F0804DEBF7154096A00BE4D0EACA869B16AD36A99D4AFFAAB2B27454AA31D181EB2DE92BE9BED82B0E486C2667F4ACFC89CE0BFE41B784474C438FF2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ..............................$.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):148520
                                                                                                                                                                                                                                                                  Entropy (8bit):5.417690904085497
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:FdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+CSP:z+2jv1x0ebezWiun
                                                                                                                                                                                                                                                                  MD5:4E5715CCEAED8AF7F5FBCA92CF7890AC
                                                                                                                                                                                                                                                                  SHA1:0D9195E6861675CC4AB9231D8D37C6787DB70ABE
                                                                                                                                                                                                                                                                  SHA-256:E31EE9088ABE8F4B12037583861D50425A51470D455DCB2B3F14B976DEA7DF35
                                                                                                                                                                                                                                                                  SHA-512:87D665FF6550BB48512AD07C22D6C4FC2280AEF9952FA19BBD846D6271F50E99704B551E11CDD17DA4ED195F4A468BD6DC53E06D74DBC3B6B1FAEFC36F4D452B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ..............................L.....@..................................,..O....@..................((...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.811910923320141
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:qzNnzx7FWjYW5mPVNyby2sE9jBF6IYiYF85S35IVnxGUHF8oymi93JGX:4RtRWjYWw9Nyb8E9VF6IYijSJIVxINGX
                                                                                                                                                                                                                                                                  MD5:5BBDB5177872D6056A16156D1054629A
                                                                                                                                                                                                                                                                  SHA1:C406A78F21B73C98C1650DA863F62D9574CBC1B0
                                                                                                                                                                                                                                                                  SHA-256:FDC5C25D74B42D5394A957A2BF76C892A79C14F0EB47365AA7658D614367009F
                                                                                                                                                                                                                                                                  SHA-512:C6BC4FA6D4C5B503D596B54BEB4BF22B831622499C2176FD677304CD1444D21605BF1F39A4B02EE319C2C04255B17F6DAA48B0087B61DBB6B577CF55DF599376
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................h....@.................................x*..O....@..@...............((...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.891333615519176
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:ZeWnoW7zNyb8E9VF6IYijSJIVxG1+M1v9:ZnJvEpYi601M/
                                                                                                                                                                                                                                                                  MD5:492474182461AD44627970F9BDA3353A
                                                                                                                                                                                                                                                                  SHA1:4615E954172D1CAEA1E254972DC7F995231B0C79
                                                                                                                                                                                                                                                                  SHA-256:54BB3F2B00F95B924EEB7896B0A2F00DF47BE6B5A35535523CE04EC3DB26B586
                                                                                                                                                                                                                                                                  SHA-512:2EF0B4E7CB9707C34BD8A1069D4AAB1E5D1B97857D93F12F3C76F985B69F946B7D0CEB7532E155D24D58CBECDD96A6C10793DE07EABCB2379C61BCC3BAFC5882
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................k....@.................................X)..O....@..$...............((...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):99368
                                                                                                                                                                                                                                                                  Entropy (8bit):6.2367181096327435
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:qTDoXrtUaK/XIg+rZAXj8s9HaWt9LuOw9VHHV55aTwWbaD763K4:CitRK/XIgIZAXjD96WfLtGdM5baDI
                                                                                                                                                                                                                                                                  MD5:E436018D154260FB2AC921477F8E31A1
                                                                                                                                                                                                                                                                  SHA1:78330AC1C3D16B6A84954E0FCB05EF81C2AAB773
                                                                                                                                                                                                                                                                  SHA-256:C294A1022777E2B3F9B30E6D0F25E0D0EC93EAFC08B120EB09A62D3A66F0CC6F
                                                                                                                                                                                                                                                                  SHA-512:531103448B34CD9914927B7037BE7BA55D4352C555566EA2B67EADDC1271E5D71474C789B0BAB6E7C2BD408A849340B68AA69AFD24AB91D80C3E8B4CFB3FE285
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.#..........." ..0..R...........o... ........... ...............................-....`..................................o..O....................\..((...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................o......H.......4................e.. ....n........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.849695340076211
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:F6oWJjWN3Nyb8E9VF6IYijSJIVxukIAFaS:F6vk7EpYi60J
                                                                                                                                                                                                                                                                  MD5:D6E6ABBB9F1D390F625547ABF8816006
                                                                                                                                                                                                                                                                  SHA1:022D2B079CFE2498C72DDE7E46E07A6AB5F34E00
                                                                                                                                                                                                                                                                  SHA-256:C9C9931BAE9A3AAAF026FCE5FA63B1A53E77C1848018D1738D5CE5435BF7E756
                                                                                                                                                                                                                                                                  SHA-512:06E902B78EF858CE31FF7AB77211872F0683D03E5A05C8BE9DAB24D41E885C555691B385C993BCB8A6D87E2D4C6746117B6748BA17351C6A6A158F98E346C81D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................C.....@.................................H(..O....@..p...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.777208714139607
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Eqk53/hW3fZ+zWqyNyb8E9VF6IYijSJIVxjO0:Eqk53MmSEpYi60H
                                                                                                                                                                                                                                                                  MD5:541C108C06FDBC6FEAD67A016EF12FB7
                                                                                                                                                                                                                                                                  SHA1:0EE2C9A8741E723DE3864428CE137E6DB17A4B7D
                                                                                                                                                                                                                                                                  SHA-256:27EBC61FAB1EE87C8AC6D5D5F00C94625C01E3A105A5C7471075E66A342A3019
                                                                                                                                                                                                                                                                  SHA-512:0C5274B487C5EADA7968010F49A66D5464F095B7AC9B9553E5AB7568EFAAA672FB27A668E5F7EAF9323D1D12AA3A3CBEFB3D2108D91281EB6B915EAA93BE05BF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ...............................Z....@..................................)..O....@..0...............((...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.662038790195001
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:vFCc4Y4OJWfOWqWWOW7yNyb8E9VF6IYijSJIVxwON9ll:9CcyCrSEpYi603j
                                                                                                                                                                                                                                                                  MD5:10DF0D52BD08862FB41F2C8582288AB2
                                                                                                                                                                                                                                                                  SHA1:139BBFDD3A66EC2E784D018957CA20B53876F72F
                                                                                                                                                                                                                                                                  SHA-256:13643BB940237A53CAA30F1C003F10342CEEC98277E92C3A732477D51AD557CC
                                                                                                                                                                                                                                                                  SHA-512:1380E2D3674383679728387FFC34831EA63AB5CAC650C1560F8518BAA850F8129F2499BF21D561E2FB06DA0FCC8E30472553CE5137F114075639B4A2AD16157F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ....................................@..................................-..O....@..................((...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.875406955244284
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:9AWxMWxiNyb8E9VF6IYijSJIVxMPtr8pa:9vjiEpYi604r4a
                                                                                                                                                                                                                                                                  MD5:A084DC9EAA9782BA85BB94D61D73028F
                                                                                                                                                                                                                                                                  SHA1:BE0EC4DE4E411637C955BE82182F79AD976EF059
                                                                                                                                                                                                                                                                  SHA-256:05D7F866C30747A14A6A853F4748379040394E2A44DCED7053484CE5008E44EC
                                                                                                                                                                                                                                                                  SHA-512:95D541599CF41681D98210A385828E3F86899B1014548907C5F902DFFCA671BCFA850B592F02DED2E7D62CA43E3281ACAFADD518E363BEC6F710BFCB9FA60ABC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..................((...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8556365736617035
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:7AlcWHaWOQNyb8E9VF6IYijSJIVxyoOVk:Q96oEpYi603Mk
                                                                                                                                                                                                                                                                  MD5:A1CC50DB46DD86DF240CC2A23B6BBAD6
                                                                                                                                                                                                                                                                  SHA1:463ADC4A19FE32A49331DE9B2C6D67EFA8CE1BE7
                                                                                                                                                                                                                                                                  SHA-256:302C98A9C7D98021ED1F31D8053835EA1D1B1625A9BC0E0367A730255F14F11E
                                                                                                                                                                                                                                                                  SHA-512:7DA514CFE77E38DDF394BD69FC285BE03EEF921142FB50031B00873532F3188ED75D491A5DA088518E29270B1C421AB9625683368DB78F3ADD3E95B42480B49D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................~R....@..................................(..O....@.. ...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.775846940237315
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:zeIZnWlNWTaNyb8E9VF6IYijSJIVxpcstAgx:iUyo6EpYi60Pvx
                                                                                                                                                                                                                                                                  MD5:9671E55290BE36C3CD22D6A549922449
                                                                                                                                                                                                                                                                  SHA1:286C9D98A1520DFE23977BAC6FAC824C1E2694D8
                                                                                                                                                                                                                                                                  SHA-256:8BE085D0C8454FD84F57B36CF815288B68AD57021D581CC263110127AF0316B5
                                                                                                                                                                                                                                                                  SHA-512:C9DA2CE9B4EDF22FD871DE2555AE8A57D404D5A415857F90D6630FA372A5543A76E9C1425146FDE92A34C2184EE1C589AC5F8E0008635B7EFF23AF7FB250B5F7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................+.....@..................................)..O....@..P...............((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.491261723097907
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:qlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZ+Nyb8E9VF6K:AQq33333333kX+TBi8OGEpYi60/T
                                                                                                                                                                                                                                                                  MD5:B3662B640160F37317BBAE869DBA68F3
                                                                                                                                                                                                                                                                  SHA1:47D6CF7158EE942AFF3503ACA9CC72B4A3457264
                                                                                                                                                                                                                                                                  SHA-256:5A1B51984ABDA1A9BF710A7B475BA3CF4377B18044B01313683B19A6DE84A8CE
                                                                                                                                                                                                                                                                  SHA-512:44647F1142741F424459301CD03DB1AE0CB383F016F00C1C22DBEBB083861E12B32DC946004913E125C39C4A7458D8E945AE6A46F155C95132E0A1FCA58A730E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ....................................@..................................L..O....`..x............<..((..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.849594226945824
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:c28YFlXulWY/WGONyb8E9VF6IYijSJIVxKD9Cs7:c0qX2EpYi60i7
                                                                                                                                                                                                                                                                  MD5:E5FD46755DB68482AAC91448007B7EF1
                                                                                                                                                                                                                                                                  SHA1:924B322CCBDD9BC877D9AD0938469DAEBF42FFFB
                                                                                                                                                                                                                                                                  SHA-256:0685FBBED961D709397949761A74E03D23C91A1386AED35B7D603265FE671CD0
                                                                                                                                                                                                                                                                  SHA-512:CC35F27872FEE334300226DB72DA4B2FA0A7BCBB56182CF5C41A0937B7F9B9C38BD261F4455608BFAAA6001C0BD299F2706F407A2F6275E88EC7602D932C108B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................9.....@..................................(..O....@.. ...............((...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.728260171249145
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:AuMLcdQ5MW9MWYONyb8E9VF6IYijSJIVx3djz:dOcSpS2EpYi60h
                                                                                                                                                                                                                                                                  MD5:16058CE2B1E71FFB59B1B3AF098B45D6
                                                                                                                                                                                                                                                                  SHA1:8A3A8393790B5DF0110308E1457F479B776F4643
                                                                                                                                                                                                                                                                  SHA-256:F49DEB25BBE363AB05CF8D0746C6B7968BE017994A38287C6F7DF720F3735753
                                                                                                                                                                                                                                                                  SHA-512:D2D4CF48E16D98DA4CEF3AC1C451C8FB6354E2EB2116D12910E38E229A3FECD7111FC88C9A20D97DBA633B9B73A4AF236BCD97F9816B3155E50A84C6B8DAF66A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ..............................S.....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8132103569800675
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:VZ7RqXWDRqlRqj0RqFWqENyb8E9VF6IYijSJIVxVaC7C:z9qKqjqjuq5kEpYi60LC
                                                                                                                                                                                                                                                                  MD5:935B3F4DCBFF7BBD52913D0F7EAAFBA9
                                                                                                                                                                                                                                                                  SHA1:1D733AD56E1CDC7DE2779F63ED2EFE9FD1E45C2F
                                                                                                                                                                                                                                                                  SHA-256:8ADDFEC47A19651E12512201A0934918B987C49CB99D76240CE3A1F9F0E5CF34
                                                                                                                                                                                                                                                                  SHA-512:8801B708FC1074036B97AE888C7A0084D25F805D599C1A76B293BE63038C36A997069D2B6B7889CE13AC7A2F2681D2C82BCE2AA9B72FE34BD3C4BD771E1CDAC4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................`....@.................................X*..O....@..P...............((...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.628083630487221
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:0NBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W7eNyb8E9VF6IYijSJIVx3oNZ:0vMhF2SzNzwu/NljuQmEpYi60MQa
                                                                                                                                                                                                                                                                  MD5:483D7EFB2ADC512ED1563B35B9B3EFD5
                                                                                                                                                                                                                                                                  SHA1:8E722995213EC350A5C7EFF9E5051055FF620830
                                                                                                                                                                                                                                                                  SHA-256:C25F19BAECAAA43BC0F66CBE2A4D62667F63480A69E6D2F283C39CF0C29575DD
                                                                                                                                                                                                                                                                  SHA-512:90D47C1B3F5FEC620D4EED5623AABF0749FC6CE76946F10ABEABDCAB57F70D98B16F4D5D033F5C945B8C5364B3C64EE329775B6AB01541BAB17B790770F8AA4E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&..((...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.9010962408519045
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:HZ4RLWdRfRJ0RZWDeNyb8E9VF6IYijSJIVxlyU4D:HZK0pJuImEpYi60o9D
                                                                                                                                                                                                                                                                  MD5:049F4C96D31A5E6B98B5D637F00C1C32
                                                                                                                                                                                                                                                                  SHA1:133CBD6A89A92AC4CD29A632A065B33D7EAF3EC4
                                                                                                                                                                                                                                                                  SHA-256:DD1833786DA36E28E56E8B213C793CD57F18D9A3178C6849421AFD1054DBD499
                                                                                                                                                                                                                                                                  SHA-512:E6E1250556CFF2905D299E9BFD173204B458D00F9F3A1D1027950D6C3691BFD4084189F296C73F2635F92D5D4CBE4B8A17A2FBC19932501403F9BA1A04BBAF07
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................5....@..................................)..O....@..................((...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.79493567439118
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:pYWsmWIyNyb8E9VF6IYijSJIVx39m93xf:p2wSEpYi60QLf
                                                                                                                                                                                                                                                                  MD5:DF8B1FEAD5A4F0105FA1F2E8C5846C32
                                                                                                                                                                                                                                                                  SHA1:42543F56C95297347741D83B2895089071BA0165
                                                                                                                                                                                                                                                                  SHA-256:849BE6985BE9E724F51B1E49A4458B0CDFA39BBE34C14856673145ADF453FC61
                                                                                                                                                                                                                                                                  SHA-512:A0F1C331C51F028596FCCA91BA911D4E028A5749B51CCAD7CA718D1413649A244D4CAC6F9653C83AD593FBA7588B391BFE5DA19DEB2DD23E647139C211FC878E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................3....@..................................'..O....@..@...............((...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):105000
                                                                                                                                                                                                                                                                  Entropy (8bit):6.382223209570539
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:Svc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXBA76GQ:Ogk1tiLMYiDFvxqrWDWNoJXBAw
                                                                                                                                                                                                                                                                  MD5:4D5373B6A808F58896D8ECA2336AFD01
                                                                                                                                                                                                                                                                  SHA1:8A2D965974BE510616A1B689064D52C82307F142
                                                                                                                                                                                                                                                                  SHA-256:F057B5B2405F7C094FDE00200F813280BAA6E2323CA55450547042F15B2EFE25
                                                                                                                                                                                                                                                                  SHA-512:D6C217672649826C9D8BA2A5626F351494D3533F8F8F651064D9E2B7D8D4E75922B1FB87624B1B2FDD59C4C130D3359F3E189E6A04732972A69813D5BB7D3F88
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................&w....@.................................5W..O....................r..((...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.852952043693082
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:XKcuz1W1cWliNyb8E9VF6IYijSJIVxLnd9f2S:Fu8niEpYi60beS
                                                                                                                                                                                                                                                                  MD5:53D21921EFE5BBFFAF3146D0085D7D00
                                                                                                                                                                                                                                                                  SHA1:5A927CD487E88E62836BF2268F3475E49733BF8F
                                                                                                                                                                                                                                                                  SHA-256:24A261F2686F7356E10775FB50D757C52CE60C8CCF534301A87C95CDF5C82DEA
                                                                                                                                                                                                                                                                  SHA-512:403DB78A35F9EB212FF7B0FDDBBEB0D62EF0307E9E0CDBDA5814666C03DC710D5277D042F8C3D5E10471DA310BCF1D978CCC802B99A66546832A41DF645009EC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.860170703382652
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:i+SWikW0uNyb8E9VF6IYijSJIVxAd562Dn:i+eGWEpYi60Cbn
                                                                                                                                                                                                                                                                  MD5:8A1D6584F6699495D216CE48FC51CEC0
                                                                                                                                                                                                                                                                  SHA1:216DE8412ACC0B0F518DF2A054C16F8D06F738D8
                                                                                                                                                                                                                                                                  SHA-256:38CF660842803C4A0857F867084818A4142B25E03523998353574AEE007714FF
                                                                                                                                                                                                                                                                  SHA-512:02C91FD17F37AA0FE6083F5408B992A8D73CF67C164AF3373DCB90CFFF85198AAF3FC259DB954532F74A03A222858E38E83424610F4AF9C2032E0624CBDB8E8A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................^....@..................................(..O....@..P...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.905045898726266
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:aDxxhREWzgW5APUNyby2sE9jBF6IYiYF85S35IVnxGUHF76am9/fr:iAWzgWSsNyb8E9VF6IYijSJIVxXej
                                                                                                                                                                                                                                                                  MD5:8A767C64807803EE2157ECED3EAB4F40
                                                                                                                                                                                                                                                                  SHA1:6F43F7316CC9C0D076D34AA8FDA46000F49D401A
                                                                                                                                                                                                                                                                  SHA-256:837590D809B2A96F1419C5679D80FA2754FA834F2A334757C42DC466A048EE5E
                                                                                                                                                                                                                                                                  SHA-512:C6966CA4F0F40BEE5A4ECA7F6447AA5589879E40EFEE78116E684F4CC824FF2E4F4DBB22A4C387CE4D9924BF5CABDE6E8CD9E6CCCB60D89FFF1D500BD83C1485
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................~....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.86496439626087
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:xBLRWbYWziZNyb8E9VF6IYijSJIVx7cB0k:xB2xi9EpYi60YP
                                                                                                                                                                                                                                                                  MD5:A7AEEE4138CB59CCD273DBD2E0E79D9A
                                                                                                                                                                                                                                                                  SHA1:31C9C6E1E50CA1C39D924ACE1E8E4C642A687431
                                                                                                                                                                                                                                                                  SHA-256:6F46D4AFCC2EF8B44B7A775837F01E7EDD92E2A2A6FEDAD769FF28C7EA7C6D3A
                                                                                                                                                                                                                                                                  SHA-512:4A7756E5F66857C9CDAF9E80E8AABDC234E0091E6C23A146B77FE88F54776E25B1E673827E5E0CA65F1B34E7A02671268BD1780DC7966CEFAE343977ECDC4CF2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ..............................oN....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8507567406121606
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:HZxcMRW4/W5TPPNyby2sE9jBF6IYiYF85S35IVnxGUHFyF5ypzB:jHW4/W1HNyb8E9VF6IYijSJIVx+8V
                                                                                                                                                                                                                                                                  MD5:11583B81A132095BE2553F4253FFE986
                                                                                                                                                                                                                                                                  SHA1:B8D126B7A3F4656A9AE66761BB6CD6949C1B120D
                                                                                                                                                                                                                                                                  SHA-256:6971DB538DF637710C89BB3036CD347402E40492CFB7EB49854227C9D49ABF8D
                                                                                                                                                                                                                                                                  SHA-512:FA28628BCFCF5F5A271C7D690C96C9FEC12001DCE3BA15BC275E56480AC18189C7023B952330DB806F53C941DB196F6A264A5CB8B1E68BE9A5BCC7430CF1FA2F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................s<....@..................................(..O....@.. ...............((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.909698580195596
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:CYvkRxpHWmCW5IPRNyby2sE9jBF6IYiYF85S35IVnxGUHF6qPQ:jvk7hWmCWKpNyb8E9VF6IYijSJIVxuOQ
                                                                                                                                                                                                                                                                  MD5:29CF4ABD4ED3C2A7D09C5C3EB6E5A9EC
                                                                                                                                                                                                                                                                  SHA1:6F07AF36D1E1E296F360790FC37587AD5CBDDABC
                                                                                                                                                                                                                                                                  SHA-256:06BE89325BAD5BD4122CD3893FF97D16605BC09E15A4B192DB8CA05203C4C8ED
                                                                                                                                                                                                                                                                  SHA-512:6E0663EA3D4FEEE1C8BB3D31B913091643D68B7537AA796FE403787AA8C8FF62E8A4140C929BF46483B4FF245F3F06C789195E43CDF2656A0ED04DE0337F42B7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................y.....@.................................h)..O....@..0...............((...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.875163574516282
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:GUiW2xf+C/WCUW5wP5Nyby2sE9jBF6IYiYF85S35IVnxGUHFLZiDOvs:0GMWCUWiBNyb8E9VF6IYijSJIVxRxE
                                                                                                                                                                                                                                                                  MD5:470DB4BFE7A89CD96F38B3F12DE58C8B
                                                                                                                                                                                                                                                                  SHA1:5EC096244022021F28AEFD534E4CA7A1C4ECB418
                                                                                                                                                                                                                                                                  SHA-256:AA7F7643BCD4A35D4A49C96B598B952D479E83136C287D6794AF2B092BC3A7F5
                                                                                                                                                                                                                                                                  SHA-512:291EA1AF40E673D8A81C13DA93229657BED8E1EA763AFD180DD68302E9A4C09A21E59147670564C50F733AD1DCA1858EE9DFF110D2C8AD5CD13DDC3E59483BAB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................@)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.856598427079228
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:TBhwI7WSQWEQNyb8E9VF6IYijSJIVxCtglWu:TDwIBSoEpYi60n
                                                                                                                                                                                                                                                                  MD5:E6D143B54F697EED02B42E6007AF16B1
                                                                                                                                                                                                                                                                  SHA1:F0405BB9FCC8F0E49DBD8015C975C07FE4A3522A
                                                                                                                                                                                                                                                                  SHA-256:A2F2615224D8B72EF36FB575511E79405BFE0D17EE56A9C8A688096984D06508
                                                                                                                                                                                                                                                                  SHA-512:92F060494E8841C468014D5E0651534AD2429BD070B803D0DF6F9A31A50609D8DB582794DB1674DF78B7DDB344EE852F27A98FC81A0710271FBA4531579DFA00
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................l(..O....@..P...............((...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.867121675573712
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:QyvPRW4lWvKNyb8E9VF6IYijSJIVxnKoxt:R39oKEpYi60r
                                                                                                                                                                                                                                                                  MD5:3BBD93806959285D0FA7A7B78AA8280B
                                                                                                                                                                                                                                                                  SHA1:BCFB697B9BD36EF0CBC637BFC672FC7EC0A7252A
                                                                                                                                                                                                                                                                  SHA-256:540FA4BC8DF4D9EB350F1A95FFD8872AA7781342E3005DF895342C459F97E205
                                                                                                                                                                                                                                                                  SHA-512:F7B5C5F38D5AFBE7B4A7FD578C2C894E190EE644F469EC0DA71E540ADD913ED424D45D0D481E500157B93962E34DD1D9CD4A582A54E714C360F6C150398530C9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................i....@..................................)..O....@..................((...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.821046316109917
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:+6RW6eWX8Nyb8E9VF6IYijSJIVxiAKnbx:+67XcEpYi601KF
                                                                                                                                                                                                                                                                  MD5:4F0FC3B76A86526C650A9B0684B95245
                                                                                                                                                                                                                                                                  SHA1:1DC27EE1F71EFD96B4435942B7D9959FC160303C
                                                                                                                                                                                                                                                                  SHA-256:6B7FF38F8F95CAD304A82F7D709FC9270950DCD1E99E0C52466DD3AD5A6FAA11
                                                                                                                                                                                                                                                                  SHA-512:3CF0A39B32F9CC4DA14FE0031A7C704EA835AD06840DA70B390D9C857AB7B916ADAC06D61DB0F7BB4EB271547A9F1EF7BC1BD80934E3149E9A08FC6A603CB1F9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ..............................E.....@..................................-..O....@..................((...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.854836920097815
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:3SUP9W70WxhNyb8E9VF6IYijSJIVxu1RV7z:iUe/lEpYi600/n
                                                                                                                                                                                                                                                                  MD5:45D93C6FA649F9204D74AB1899F1C3D9
                                                                                                                                                                                                                                                                  SHA1:4A0C650FF3D91738B737D485A53E48917E55487C
                                                                                                                                                                                                                                                                  SHA-256:911640CC89978360175AEBEBAC93B0A00A66431516E2B9DB37EFBEFDD1AA909D
                                                                                                                                                                                                                                                                  SHA-512:3BD47D5CDB8C4215B9F45575A949378448F68A79B3C0FC74C44C5DED890E82C42D0966C504AAC82CA2C29FD0D4C4E92901FAB8A8B68B6C23B7DDF49CA1E5689D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................*.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.851374926476131
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:t8yg07W0/WtTNyb8E9VF6IYijSJIVx/ou16:tBHEPEpYi60AW6
                                                                                                                                                                                                                                                                  MD5:2663088236918D37AB0812F458B43C67
                                                                                                                                                                                                                                                                  SHA1:742477CC66DF985769A06A52F4B9493162851677
                                                                                                                                                                                                                                                                  SHA-256:FD830178DDDF42D3CFA029D0C7A1F5F47A9988D21D35EB3F6E0BA6E21F24648E
                                                                                                                                                                                                                                                                  SHA-512:DD2BFFDDB1048EBD4E4F4A6E6E5D4FD87A519B3C9156CBD2192B2EDBBC97D6FD170861AA9644E881722746D0ABDCDD4DB06B9200664B04EE55B909854610C36A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................'....@..................................(..O....@..................((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.817087250089017
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Ge1WmRWgFNyb8E9VF6IYijSJIVxaxg342:GejjBEpYi60qmZ
                                                                                                                                                                                                                                                                  MD5:B9DDD406A59FAC863D622344082882DE
                                                                                                                                                                                                                                                                  SHA1:9AFA510A8BD068824AB74F43AB5877A266A4D8FE
                                                                                                                                                                                                                                                                  SHA-256:F7CC702EC5A643680DB4CE7891B26937D391F9243F46E3FD6025922783CD2B36
                                                                                                                                                                                                                                                                  SHA-512:50094E44D92E7AF66B02F2BCBAD855B4F63B7CDE8255C7CB5100146A3CE8D5B96D70BFA707507AE93228E0211F4C8D39B3DE32934BC35047DDE9D476EE227236
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................|....@.................................p(..O....@..................((...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):142376
                                                                                                                                                                                                                                                                  Entropy (8bit):6.161293995450423
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:XUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqM:eBFd3/aFs2t
                                                                                                                                                                                                                                                                  MD5:47A13DDA83D02C5B8338A7FC0522A0AD
                                                                                                                                                                                                                                                                  SHA1:CFF0D0F4B2815E15CC697D199DDAE1579BB4E0A1
                                                                                                                                                                                                                                                                  SHA-256:2C9775BCA72A1EBACDDF92213E97D10C5BC246BCCB19CD1E0557C811EED5B01F
                                                                                                                                                                                                                                                                  SHA-512:55BF83CDD4F1664E248C686FE4E2FD9BA748531A35A7352813AA0D6BCBC97C55914A9677FD7B313970291DE5994296D802037ED7F0274A52E599E922E6E5B54D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`............@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):192552
                                                                                                                                                                                                                                                                  Entropy (8bit):6.114424648358427
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:neruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgSbM:6W60VcTvakcXcApOc
                                                                                                                                                                                                                                                                  MD5:D85FEADEBF972203EDE6DDCBDD751A64
                                                                                                                                                                                                                                                                  SHA1:4156CFE6BC213CC6FC3F6C603F58F91D8519669D
                                                                                                                                                                                                                                                                  SHA-256:0BA6A020A4288400FAEE2AF447E1D92F29F00EF60BE326E52D211E3FB71453AD
                                                                                                                                                                                                                                                                  SHA-512:9FA089626EC8F126F3C36C7232B64A2162B4BDE22396A4D3C18A4003771D8D66C48759670FA206891CC5A710C4CFABD6EF93A51943EEE9576502CADC8F3E3B1A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... .......#....@.....................................O.......h...............((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.836541771573711
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:DZsxgyrWYLW5HP4Nyby2sE9jBF6IYiYF85S35IVnxGUHF5LxLFsX40R:N6ZWYLWBwNyb8E9VF6IYijSJIVxNNLeX
                                                                                                                                                                                                                                                                  MD5:9028310FF5626D8C5A8AF8815A476744
                                                                                                                                                                                                                                                                  SHA1:3CFD3BB1B9741EFDDDFC99ACEF4B410ADB9FFE2A
                                                                                                                                                                                                                                                                  SHA-256:E0CD510CF6EA9A61449CA9FA704A8F32C2DA895226AF7244EEC08004E3A0F738
                                                                                                                                                                                                                                                                  SHA-512:0B09C0A5EABDBF9EA8FDD3756DFF4F5E02C2A97425AAAE534D2F3A415AD736C47EC4665202C0566ACDCE26AB04D965B6707AF457082E1442A80F23AC0EA35F43
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.790953969555689
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:t1W1WMQWkMNyb8E9VF6IYijSJIVxuHDMT:C1yMEpYi60uQ
                                                                                                                                                                                                                                                                  MD5:1DD38B6E246413ABA656A43913B77059
                                                                                                                                                                                                                                                                  SHA1:71C61475D59CC97DFA2946B7A7B51B5F24249EC7
                                                                                                                                                                                                                                                                  SHA-256:61DA35C1B73ABD565CFDC47D4B9019F681CA4F23E8EE36ACAE752F73CADE5377
                                                                                                                                                                                                                                                                  SHA-512:DF4D8BDD4DB5FCE7C5C1C6F8FAA066CFEAA4370C93F3EADBA27270E4994DE7A36F1F676C5227CF5359FCDA7EA3DE87AD36742ABE774A44A3A7736363A9ED07CD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ...............................+....@..................................,..O....@..@...............((...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.831030175823516
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:6Q/rx72WSKW5TPZNyby2sE9jBF6IYiYF85S35IVnxGUHFA/PQq7O:ZdSWSKW1BNyb8E9VF6IYijSJIVxsQv
                                                                                                                                                                                                                                                                  MD5:4BD03CE10E027EA6FCBF363408B2D635
                                                                                                                                                                                                                                                                  SHA1:5AE8496EB6A6BB1C7EBBA18C5CB185E5B7C06607
                                                                                                                                                                                                                                                                  SHA-256:0B2958F63802C93F92D9A11DDC5DDCC5ADEF96FD76A2FC815B855BB45E2D1AD8
                                                                                                                                                                                                                                                                  SHA-512:B573C33D95BAF36C7C7EEC0B92441260ED029144853D5A8F70E809B881E5DB55E4C0C352857E3371AFA383D912D3F50B6911A02F74A808FE2A86B4C94C9B70F5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................x....@..................................(..O....@..................((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.745241534522964
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:zJEYA2WkIWcqNyb8E9VF6IYijSJIVx1IZW2kC:zyYA8CqEpYi60+ZH
                                                                                                                                                                                                                                                                  MD5:0F2F35CF406093A3515D1903E625D4FC
                                                                                                                                                                                                                                                                  SHA1:329644B8B9AA08DE7EE8D4A2EF6104E39443FB44
                                                                                                                                                                                                                                                                  SHA-256:4F2556DB1097C0AFE1BFA39B8AAC464BFE6EE0A1C11A9E5E6C7A8CF4801A64F7
                                                                                                                                                                                                                                                                  SHA-512:86532AEEBD0344CE2A603986F5C0D5D52DB9528A2ED93BC7C1B531FB93ABEFB639D5AE89838F2E720059714F4E01468A0AB7BD452648BBF88CB52D7DDA4C4F7C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...................................@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.874609224447225
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:3JGWe4WTYNyb8E9VF6IYijSJIVx5OCvRh:ZmRQEpYi60BD
                                                                                                                                                                                                                                                                  MD5:11A7A2FD3AF4EBAB476480C6B9844D10
                                                                                                                                                                                                                                                                  SHA1:BA546C98FF9D2228A6535D45B8A1096CAB5E7E8B
                                                                                                                                                                                                                                                                  SHA-256:1EBEBB93F3ACC1C6621D4D5B118D0C3D9F24D615EA450E62A6617C16EF78745A
                                                                                                                                                                                                                                                                  SHA-512:6E7315EEEC8E9B6D57667F57D9D952F5CD563477D26E8ECE918305451FC07B9DB041156C2716C4EE74FFFD2035BFA56D975492A37E445F88BB6759E42B9F0F0A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................Pv....@.................................0)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7866056000100725
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:NdW1w3WesWn3Nyb8E9VF6IYijSJIVxV4ML3:q1wxd7EpYi60+O
                                                                                                                                                                                                                                                                  MD5:E99749C2D6855F01AF07726518259C25
                                                                                                                                                                                                                                                                  SHA1:01923DA1D66638C061F46641EA916EC7AE74738F
                                                                                                                                                                                                                                                                  SHA-256:67D6A4D61AC7B1D3DFD855DA099899C08BBBC224C3C68B29C74D7E60216EE718
                                                                                                                                                                                                                                                                  SHA-512:87736819EE103D35F18CA3BFC371752EEECF27E725EB9E3A73EFD21480BE04B5002E0D35F41B82DE009731D8F9999508EE1FB5BB7FB36879B92E4CF3020762E3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):24616
                                                                                                                                                                                                                                                                  Entropy (8bit):6.593818167121892
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:AylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsW1gNyb8E9VFP:Ayp12Bhkg3qnV/srYEpYi60Rr
                                                                                                                                                                                                                                                                  MD5:E3238BA54E79B27CC6E7EBF902556D09
                                                                                                                                                                                                                                                                  SHA1:F8BC1F7D512657E9B0E5CDBD7843AB4101D2EA33
                                                                                                                                                                                                                                                                  SHA-256:D16AD1F3B3D97BA1331204060013A3CE898594BCE31CA84F700613D880525245
                                                                                                                                                                                                                                                                  SHA-512:AD8E1BAAF7B75B5AFE5800201D1BC26E9C9565BAECC13EDCE367FB7BF2A53D1B15E6B25380A31100B28213ECC1B03C8108DBAFF53EBCF5652E8E9A0C3CD0E3EF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ..............................m.....@.................................gI..O....`...............8..((...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.854872320109744
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:rSHlx2PW1bW5kPWNyby2sE9jBF6IYiYF85S35IVnxGUHFl5tcr05b:GHPAW1bWieNyb8E9VF6IYijSJIVxJ5aw
                                                                                                                                                                                                                                                                  MD5:685C4B4E983F839137E2CD7B774A1002
                                                                                                                                                                                                                                                                  SHA1:2D7CF0F91AA51112C2A4338448148E2957431E56
                                                                                                                                                                                                                                                                  SHA-256:5FD54CD23BF035AB595A741CD728931AEAAD1FE5E631B45DD5E5276AAB412829
                                                                                                                                                                                                                                                                  SHA-512:DA9C144B5FB649B811C0BFDD1989AA573AF8AC8F352F7D0A97187CF0687E989B2B794AC89A08AEAB734ACBAFD4D55E19F7A294F64E5C503E17BB85A84E158973
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................h....@..................................(..O....@..P...............((...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.853982369164623
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:4+TxwFqWD7W5/PtNyby2sE9jBF6IYiYF85S35IVnxGUHFCetdXG55K:zNoqWD7WJlNyb8E9VF6IYijSJIVxeOGy
                                                                                                                                                                                                                                                                  MD5:24327AF1BAFF48BA5F1F6324A61F71C1
                                                                                                                                                                                                                                                                  SHA1:F9A22C0C5FFA2EC82A4FEB4A902689B6FC59179F
                                                                                                                                                                                                                                                                  SHA-256:D74B179263A195AE4D5720B66EEFBABDE09EAC0014FE6E65DF98E5623210DB8F
                                                                                                                                                                                                                                                                  SHA-512:21104DFA526301C7A8724AAD6356BE1D0752C38184148811BAB8C9A26EC9D1EBD6ED0A91EE580E3D8F76710E2989DD3A9A16F6EACADCE386BD66DC0BA8818D4B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................:....@.................................|(..O....@..@...............((...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.86328119964248
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:bGETSAWUEWSWNyb8E9VF6IYijSJIVx6t2no:fT18+EpYi60S
                                                                                                                                                                                                                                                                  MD5:2CD1F525D9E7AF6369F04152A467D8ED
                                                                                                                                                                                                                                                                  SHA1:45F957A01971249BC1CB7EE43A1C1A714B33737C
                                                                                                                                                                                                                                                                  SHA-256:8EC2FA24A534A8A6BC488AFC6C8DCA0266135B01C49DBF9FE16920C2BFC5C8CD
                                                                                                                                                                                                                                                                  SHA-512:6E600BE03E5FAA11F56CB615588B58B605163549093436213B8595D12BB9F29A6847A38B8DFC41C07004BF3E1E2F621ED1EEAF72F9ACD41D66A5C2C295B2B381
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................>.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):110120
                                                                                                                                                                                                                                                                  Entropy (8bit):5.510648737251264
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:TPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76H:TWw0SUUKBM8aOUiiGw7qa9tK/Ybg
                                                                                                                                                                                                                                                                  MD5:A27760BA058AC5856F4A1D07210B6A42
                                                                                                                                                                                                                                                                  SHA1:BDFC736271A1C4E0D04846ACEF7285A491448BAE
                                                                                                                                                                                                                                                                  SHA-256:851B73A64C57B6E149A0B2677DC5F89BA39F31E61EFE37949C48C3697FA62324
                                                                                                                                                                                                                                                                  SHA-512:A50573FCE43757A7C8530BF71067D4D40C3591337424952E7B603E2C811CFC89631DE17DAFBFD9D714DBF4975E687152CE3CEB1479E448AAAB4878E17C98848A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ...............................K....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.847676268621053
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:RcDagtDApWSKJWFrNyb8E9VF6IYijSJIVx4LsXNJ5:RPKBKnEpYi60N9D
                                                                                                                                                                                                                                                                  MD5:ED0BB3B04E5B5FECFD7C93BAE2707C3A
                                                                                                                                                                                                                                                                  SHA1:BF9F93430B820FBDE7D101C739A0BF8B48DF1BAC
                                                                                                                                                                                                                                                                  SHA-256:B217AE70945AD17489E5C89E1D0B5F9798498ABD0F2DB595221AC3E77F770706
                                                                                                                                                                                                                                                                  SHA-512:3C0B6FBB62EF929463A9834A27A2379E0125AEE03E5183B3CDE0F32C22E8F99E5842FF76F0BED19EF1AB447E0D44AD910742D4447E958475C5DAE02D53C4FDAC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ..............................\!....@.................................0+..O....@..................((...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.85953484591678
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:/m6NxhqWD4W5wP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFAyboMbWXn:/nIWD4WmiNyb8E9VF6IYijSJIVxM0RW3
                                                                                                                                                                                                                                                                  MD5:1566627D5F85534882E69C079652B08A
                                                                                                                                                                                                                                                                  SHA1:4EDA90289B7E1A969736D7814E63AE3E5B4C567D
                                                                                                                                                                                                                                                                  SHA-256:86E7CF64275697064B1A89D9377BDE56D8EE1293A21E57AE84BD8E2FB8279F71
                                                                                                                                                                                                                                                                  SHA-512:07410B21E565377D6F9CA84D4006A54534261EE7BBDD9EF360AE222E2D229030118C78A98108D1FAA8115BE8D1AB8F155A1240AA3E3EFEFA16AD1658E3B134B6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..@...............((...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.783953692294162
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:6W2KxVSWzQW5qPFNyby2sE9jBF6IYiYF85S35IVnxGUHFh/JZlGCQMO:tMWzQWc9Nyb8E9VF6IYijSJIVxN/JjI
                                                                                                                                                                                                                                                                  MD5:83E20341704AF26C8FF74D9321B10C1E
                                                                                                                                                                                                                                                                  SHA1:A18DF150BA8D6D982A7CED9AB8B922C8BFFBD539
                                                                                                                                                                                                                                                                  SHA-256:705EB209C34E9E8407DB2B6099464CE9E7A18FF4B98333F12C65A6B75CCCAE36
                                                                                                                                                                                                                                                                  SHA-512:137CD3A31A5D06B9DD06E6F38E4DC16687ECB3398AFC1767C89AFD39B9AA87EE103A6E414857ABDEC286D9B2C9236C2EE99F24968EE35D93B02704EF0F57B9F1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................(,....@..................................)..O....@..@...............((...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.724716036489479
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:fxDHKWAMWcpNyb8E9VF6IYijSJIVxlPKCg:pD8GtEpYi60Vq
                                                                                                                                                                                                                                                                  MD5:2337819E421DBF3C3315634681A605AA
                                                                                                                                                                                                                                                                  SHA1:76B72AD495AD0635D260BDC23BC7C206DFFB9810
                                                                                                                                                                                                                                                                  SHA-256:7B7737D5E647CB55BAACCEEE7C79869B5D128150E468CBF2108526C035B4DA18
                                                                                                                                                                                                                                                                  SHA-512:6F55EDD2426A45C8DC68F14AE5EC640E4A8DB515ED913FE7EC0831DD8BF075010336598CADDDB2FCC14C1959C6FF7FD49A1635C162CE4FFFD8139ABDD524246E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ....................................@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8309757576772085
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:QLNBEW6pWx7Nyb8E9VF6IYijSJIVxdT1qe2/g:QbMSXEpYi60p6g
                                                                                                                                                                                                                                                                  MD5:8F83077CD78C15C196B3AA4403A25361
                                                                                                                                                                                                                                                                  SHA1:27697D0A50410F45F3647E8F83AA2434D8D23084
                                                                                                                                                                                                                                                                  SHA-256:B3948D23C8370786B1A7FCDBE4805ADF3B116EA9F800F4F1A5BA9BAA59A094BF
                                                                                                                                                                                                                                                                  SHA-512:E0A3B4BF601BEB53425F1C3280F984177E13D4F025E7F96B54AB2105B15F628813BEB9E37E01D45FB334C21602A34BA2F865B963DEB97BA50DFEDD9F2D4562EA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................{....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.884464800766763
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:sKkHKW/tWBpNyb8E9VF6IYijSJIVxkNKuTXO78m:xumtEpYi60WlWD
                                                                                                                                                                                                                                                                  MD5:608CFA5936FAE45411397B435050646F
                                                                                                                                                                                                                                                                  SHA1:3CD38EC97A122C32859A35EC121469D600280E54
                                                                                                                                                                                                                                                                  SHA-256:E5EDDD5A318D1945AF4E45A3D00F516295BABB26E5D8AE6586EAD3C5F1F479CE
                                                                                                                                                                                                                                                                  SHA-512:C71502BE6AB04CD3944BAD137E53823C8FF48B589D28EABC80D74007083B59E3F8AD0441DDFF14926BA7E931B08B39977B67F15DB88D40B4F5AC9F0B0913F2FC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.830471433252565
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:6LnfIWqrWx8Nyb8E9VF6IYijSJIVx7Dq1bAae:6Df4ocEpYi60gbNe
                                                                                                                                                                                                                                                                  MD5:22BADF9DD8B72261A211BFD011A4C8B2
                                                                                                                                                                                                                                                                  SHA1:3248AB6897B1B11E2435B2922516B1D425A0A066
                                                                                                                                                                                                                                                                  SHA-256:3ACE189115E9E0CBEF40D91113D2534065E9B3C7637AEC7FC2FCC076AB9821A2
                                                                                                                                                                                                                                                                  SHA-512:BABF37E5B9ED54ECBCA2F6F22BA1CAB012B7AEF98338DB8EA5C66B3C88FC6218104F317324F59B3F37DC552442683CFA07C144C930F2D928A5AFD9E8F3BB717F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................,.....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.671168291822592
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Qh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBe+:Qy9gpEpYi60AV
                                                                                                                                                                                                                                                                  MD5:B2A7A924DE7A9B3A1BC24F97C96F46A7
                                                                                                                                                                                                                                                                  SHA1:63C105C2BE54181A927240CE53A245EEF5772006
                                                                                                                                                                                                                                                                  SHA-256:E6BF244EA19064E9E60800D7E126BA7C50410F7DF9C382EA34C83D296664BF8E
                                                                                                                                                                                                                                                                  SHA-512:315CA16713CB063AA712E1D513A0264C6C5CA95845F7756BACEE4F296EAB5DB9A55706C754254DB3A5DF9DF18C7BFDF32581760A5BFDFDF9743FA1AB363CCD41
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................z.....@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.813587934716137
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:2na8WK1WLfNyb8E9VF6IYijSJIVxY4fz9:2na0ojEpYi60J9
                                                                                                                                                                                                                                                                  MD5:5716EE2738F8F76979155FDACECB5C0C
                                                                                                                                                                                                                                                                  SHA1:9A6AE1A93840839FA647DE64F6318D7F56B26D4C
                                                                                                                                                                                                                                                                  SHA-256:3BF698EDC3D060A83316B39224B6CB6568F6F6E06AABBE2BA2517DBC665DD4DF
                                                                                                                                                                                                                                                                  SHA-512:FDB045A6AA74D42EC14703BAE90156BF82C945610A967D985755A815476F1BBA2A83867169945C492679BB42298ED420323915D5E4967C8D05534B1667820A4A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ..............................a.....@..................................*..O....@..................((...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.761881198456678
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:TBSWITWWSNyb8E9VF6IYijSJIVx3mR6CrIO:T6LyEpYi60WRjIO
                                                                                                                                                                                                                                                                  MD5:6DE7AC728A20BC60F092479E3EF06F6D
                                                                                                                                                                                                                                                                  SHA1:ABCCBD3458F0692B50C23423171BB4B72718ABD5
                                                                                                                                                                                                                                                                  SHA-256:E7F96EF21BC499872D1B80974A40C97524C788AAB36946AF04B08F32B2EC643F
                                                                                                                                                                                                                                                                  SHA-512:BE53EB4C43DE79C9FA0FE448C37879FBC0C3C1F85FA0047FBF93C9E1EBA8464D680E03F96154ACC42E10CDD85E2D3378736C72F0FBBC4CA2D589F4FEB0E0B195
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................!E....@..................................)..O....@.. ...............((...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8756068830878
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:j88cIIWNoWJiNyb8E9VF6IYijSJIVxJyw:j9cU7iEpYi60x
                                                                                                                                                                                                                                                                  MD5:E7E2D8DF7EAD9D209524406044848F25
                                                                                                                                                                                                                                                                  SHA1:2CD56D0483F23294671B5AB95F041E76ADB7CFAC
                                                                                                                                                                                                                                                                  SHA-256:3437DC1F9380D9890B77A06597901EE1C5B3DD5F9A889D7AA8A2F46CBE314BEC
                                                                                                                                                                                                                                                                  SHA-512:23E2467186C50BBF8468F70C17C1E44794A79766B88B75BC6F90E4B6758FB9714831A9F1C0831606BB929D69A812D6C86FBB843B48B231B1169E689C0B90589B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................M.....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22568
                                                                                                                                                                                                                                                                  Entropy (8bit):6.618631827128889
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:IkUwx9rm5go1fWKmmW4oqN5dWjaWbJNyb8E9VF6IYijSJIVxowXUlv:XrmoFmWXX/NEpYi60bav
                                                                                                                                                                                                                                                                  MD5:1CC223DA2E4AC998C53EA59B66F356F8
                                                                                                                                                                                                                                                                  SHA1:975FC204A6D8B093F2331B3B7FC93E04680F5B86
                                                                                                                                                                                                                                                                  SHA-256:86EC9DD10202679A39E3A934825EE267F625C2D7D3D907530D57C3FA48B211CF
                                                                                                                                                                                                                                                                  SHA-512:C0A6ECE93E33F9E9512B3AEFCF8B3AC0E6ACC64B65FBB86217A28E70B60CFD6414F3C2730EC1EE51195DA00EE096CA13BB5183FA05DDA52042652EBF50AE5B43
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ....................................@.................................PE..O....`..x............0..((...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18472
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6724040809809555
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:U09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsp:VOAghbsDCyVnVc3p/i2fBVlAO/BRU+pf
                                                                                                                                                                                                                                                                  MD5:D1D58B64959C12A4FD927DD402163CC5
                                                                                                                                                                                                                                                                  SHA1:412A1FCCB056168F709DA18A57C70BA116C0A4D7
                                                                                                                                                                                                                                                                  SHA-256:F0A641647BA8FEA83ED81359106D386710147A8E5C5BD61B23F71B9BAE352D17
                                                                                                                                                                                                                                                                  SHA-512:62234C2B5531BF63C250DB381B7D642BD441D5EC61478CCEED76CDB03AA11011A332DFD9A5A98AB99D36B35CAA6672A09B562C19DF5C70BBEABA16F7FB8E4203
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................-^....@................................. 5..O....@..P............ ..((...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.829655689203351
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:cRYx4AW6RW5wPSNyby2sE9jBF6IYiYF85S35IVnxGUHFt7kRFiylI6a:f7W6RWmaNyb8E9VF6IYijSJIVxZ7D1
                                                                                                                                                                                                                                                                  MD5:6976929BBABCA3037BD9C167A2F404C3
                                                                                                                                                                                                                                                                  SHA1:879B8D9EAAA33348417B636F5FC9C0352CA0D007
                                                                                                                                                                                                                                                                  SHA-256:C42091E10CB4BF21CEF687E4320F2A2C50C9EC0FAE63B642F4B3C44F2F2E404F
                                                                                                                                                                                                                                                                  SHA-512:FEA16FDDEEC9DC12652E7DC17EC402A117FD1F045969FA2AFED6AB0F09D31271933AA15592693C4D2EB82AAC8EE724641ADBAA4B1DDA6FCBE0CFF4016A6D1962
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................=....@.................................T(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.921024068511714
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:wI5HeWFwTBsWWcNyb8E9VF6IYijSJIVxuKiej:wI5HFwTBI8EpYi60lNj
                                                                                                                                                                                                                                                                  MD5:2DFC13FAC522AC63441125E17F4B8ECC
                                                                                                                                                                                                                                                                  SHA1:7C7FE89B151FBE4BD68F4BB292BDECF097E181D0
                                                                                                                                                                                                                                                                  SHA-256:BFC87A0F913B23E28636FDDC346D5C279E6F5B1023E6A80B1657047101646202
                                                                                                                                                                                                                                                                  SHA-512:4D8067CB2201BD92DBC45497C3EE3C7A93ED5859D309B0359F3490F0A5438D0E80E4C1A210F32AE142EDB817D7D721B171FE1B538260FA8265AC1E8DD81EB938
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................4....@.................................|)..O....@..................((...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.892625196711899
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:PAJpVWbfkBnWRXNyb8E9VF6IYijSJIVxn+f3J:PAJpWfkBAbEpYi60a3J
                                                                                                                                                                                                                                                                  MD5:045F3B062CBDD6486E81D56AD6ADB1F7
                                                                                                                                                                                                                                                                  SHA1:0A4DEC84E3B588FB09BE09ED4D2111477445B26F
                                                                                                                                                                                                                                                                  SHA-256:EFA9FABEB1009EEEBAEEB6B57B4ED2B0C3660EB43764A83668DC3010C70CA86A
                                                                                                                                                                                                                                                                  SHA-512:2A572BAF6058F5456F81D437F593A5FD58D9F05FF80E03DA760322025A09C6A790FB5BF11DFC21D38247F3FD52D03F3A0FFAE4F11A798C362A8873826B8B5F24
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ..............................([....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):21032
                                                                                                                                                                                                                                                                  Entropy (8bit):6.539784818924537
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:b8R71h7yzt94dHWFgQBVWeHWFyTBVW2dNyb8E9VF6IYijSJIVxRNzz8:W1dyAqgQBfqyTBZZEpYi60g
                                                                                                                                                                                                                                                                  MD5:4F86DC8958B2EADD05103A3973E2EDAF
                                                                                                                                                                                                                                                                  SHA1:80A96E28831D2A41C80172F680C0C937761BEECD
                                                                                                                                                                                                                                                                  SHA-256:051561A7CA00CA206A98FBAF018FD9EB51B2D42DAAF32AF0F7A2C8F7D145BE29
                                                                                                                                                                                                                                                                  SHA-512:7BE008DC538478E83C80934F4EBFE9E056919E3D764ECABE220600217ABCA46E1361C962280227B131D7E2BFB1A88BF3F6D4C69B58A224FE2C737AD7F93EA4C0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ............................... ....@..................................8..O....@..8............*..((...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18984
                                                                                                                                                                                                                                                                  Entropy (8bit):6.681785803676866
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:xpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWb8Nyb8E9VF6IYijSJIVxZ8o8z:nsPMQMI8COYyi4oBNw4tBrcEpYi60S
                                                                                                                                                                                                                                                                  MD5:43F7E5827AF0DC34C13D7EF02B5877AA
                                                                                                                                                                                                                                                                  SHA1:89D7B88D8803DBE8DDC925E5252EA336F0EB2AE9
                                                                                                                                                                                                                                                                  SHA-256:63D90FC022D531AF33493D413FCD7C88553F0C47EA7909144F9CE4C76C0DF9F5
                                                                                                                                                                                                                                                                  SHA-512:64EA2414299E84137FA1828F96953F4B039B19C3A0B4527C19971B11A32C58C4044C7335EF76F384057FD52111A1DD682E12B52CFE5EC81E7D1B484DFE15F4F2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................>.....@..................................3..O....@..............."..((...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):23592
                                                                                                                                                                                                                                                                  Entropy (8bit):6.317272664503148
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:VbhigwLAuZtM66g/Id7WVXWgvNyb8E9VF6IYijSJIVxdTSuB:VbhzkKs9TEpYi60p
                                                                                                                                                                                                                                                                  MD5:3F33D240969A76306AA2884F7254E84E
                                                                                                                                                                                                                                                                  SHA1:83E0443482D87D7537586E6C686CA8CD37E1DE49
                                                                                                                                                                                                                                                                  SHA-256:2B18DC264B14C3A8A553F2ADBD8E08643049AFC970E94A71CE9DD1CD120326BD
                                                                                                                                                                                                                                                                  SHA-512:8A16029FFB19805AD62846438792058C2CE83AB9916862EE65F8332F740C08B7E213D3261CEA0340323EB6ED406B416EBE80DAB002A49E10152FC492DC7E9B31
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ....................................@..................................G..O....`...............4..((...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8641760993802
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:sUcX6W9aWTmNyb8E9VF6IYijSJIVx7y5UA9:sUchXuEpYi60K
                                                                                                                                                                                                                                                                  MD5:90851FAA93AC21FA4BFF8B44E19CD3EA
                                                                                                                                                                                                                                                                  SHA1:55A2DF0C354E03E704C779BE91ACFAB15B0EDD2F
                                                                                                                                                                                                                                                                  SHA-256:2E0F1D274410F097DC9338BD152F996B8C0975D6E21BF6A0672A57EE54CE1482
                                                                                                                                                                                                                                                                  SHA-512:CE183ADDD8E5A93B08ECDB463F8B071537B4B4ACB44BF0EBCCAE3448FABBA67DC0AC85671503E94A0E7F86FA0353DA629653846C7C66233D3130AFDB8F956F91
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ...............................@....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):41000
                                                                                                                                                                                                                                                                  Entropy (8bit):5.950693749695141
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:EoBj7kS+8mjvHTeaWKs0Sd4eeUAEpYi60v:TPmb9WKs0PeeUJ76m
                                                                                                                                                                                                                                                                  MD5:7FB055C905D9A39F3C6A3727F9973931
                                                                                                                                                                                                                                                                  SHA1:CFB905ABADB4763E14ED6C81FB53237B5535471E
                                                                                                                                                                                                                                                                  SHA-256:0DF92CC1C99757A8AF1F9E602C558BBD5951E7F74FB4B4818310AE62F14951A3
                                                                                                                                                                                                                                                                  SHA-512:C65200E385652D5E6EAB6D4C879C2F3CA013F661A70C7EA269FC2A56CFAAE7D1349E67228A0734334446DF7F5FD496F677A0D5EA389F00E1B3C9B4819EE8D5D6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ....................................@.................................u...O.......8............x..((........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.894656801462163
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:jTI2pWPzWmWeNyb8E9VF6IYijSJIVxWxypsikUt:jE3bnEpYi60ppJt
                                                                                                                                                                                                                                                                  MD5:5AF75DD465E0FB5499F26F7705C66EF0
                                                                                                                                                                                                                                                                  SHA1:B818D0D374D1481AFBBFC10ACC18FAE415884091
                                                                                                                                                                                                                                                                  SHA-256:03CE2EDBA81F2B4FC721152A43E50D897F3729EFC95FDAAA9B75FE1044CF8E9C
                                                                                                                                                                                                                                                                  SHA-512:014A9171C2EC833D33E0FEF4B23187583E4E2D75C81B61B6966A44F1598AD7D7FD458920189B0FCBD2F2C877B8CB3CD0395ECA155137803F8733B51ACB610EE1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ...................................@..................................)..O....@..`...............((...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.910298478995302
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Vcezoy4W04WGINyb8E9VF6IYijSJIVxmpc:VBzoy+kgEpYi609
                                                                                                                                                                                                                                                                  MD5:F21B83D02F3F41A17DA661D1946ABCFC
                                                                                                                                                                                                                                                                  SHA1:D9AE7E6A4349F630621F3ADA8DC4CEF314E90436
                                                                                                                                                                                                                                                                  SHA-256:F373EB334E331CC72EE6E7CFF66C1594F3DB4CE7C895ACE2DA867F114A84CAAE
                                                                                                                                                                                                                                                                  SHA-512:AA916DE4EE19F17D7B3938EE7BF14F72DA77B839A0C995EA43A927DF15889C2CAD2C6800F318454A062CA7B774D713F30A450771B561D8CA8E38BA98C76960BE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ...............................\....@.................................,)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.795979658861104
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:zH/JWKpWDQNyb8E9VF6IYijSJIVxX5qd5:zH/j8oEpYi60y5
                                                                                                                                                                                                                                                                  MD5:0D53104075C8DF39D4A0CFC0B36A3D04
                                                                                                                                                                                                                                                                  SHA1:7336DA34B096A727A51D6D38DAECA2C4881B2778
                                                                                                                                                                                                                                                                  SHA-256:CBD5EC9F943F07404CC33A7956A40F925832A3338C65CA7DD9C312C2F7E03BFB
                                                                                                                                                                                                                                                                  SHA-512:099911E7BE7A6A25DFC952A007348A840D3FED8B92516E3B049E12A6F24EB7585CAD962658B242C0D19E83E7BEA07EC605561563B2FF14AD8A3890DC77349887
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16936
                                                                                                                                                                                                                                                                  Entropy (8bit):6.742301132485331
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:STjbocNsWMhWqiNyb8E9VF6IYijSJIVxtLJTx:SboYyFiEpYi60tb
                                                                                                                                                                                                                                                                  MD5:3D93A992DD312FE629AB5D6CCF850528
                                                                                                                                                                                                                                                                  SHA1:C071A9279B8443AE461A1C714CFFA487FF7CF359
                                                                                                                                                                                                                                                                  SHA-256:9742081D172405E3CA98842B5E1FF3E7BD0F5825066DE327EB4290A5D6BF5B3D
                                                                                                                                                                                                                                                                  SHA-512:618EF6B5E46AFE3835D7393A63FE7B3C4A73F17535913EFCCB4E310BEBCEE54708B6F9D80F0CE3E573C1525A39C1F15B3262E232B02109A8C0E46F646245B560
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ...............................'....@..................................-..O....@..................((...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8445483953916035
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:pSKiWIhWG3Nyb8E9VF6IYijSJIVxLp8y0A:pSK8l7EpYi609Z
                                                                                                                                                                                                                                                                  MD5:FE7BC6211C4AF906699B28C485BEBE46
                                                                                                                                                                                                                                                                  SHA1:5C54F221F0C5BA1ACF39281BE2658850DBF9A60A
                                                                                                                                                                                                                                                                  SHA-256:A772F2AB0828BE9F22ADC5BCF14DB2114DE2A2FE20F0AAEBF8957043A5A5BB27
                                                                                                                                                                                                                                                                  SHA-512:3F50EC9CDA1873961D0BC5D5214310F4D0A2E28E8A66249AC11730EAC5A5F8A89EB136E1B9A49A4D9792B094ACAA9FB4BBC67B4F8F2E7DE4F9FF355C04B24222
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................t(..O....@.. ...............((...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.789117842351263
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:b0KbZWApWmWTpWSDNyb8E9VF6IYijSJIVxkp8eP:QKRyhfEpYi603k
                                                                                                                                                                                                                                                                  MD5:49101FB80BE698D6FF2EB01FF7A02911
                                                                                                                                                                                                                                                                  SHA1:C7C94A2315F5B05AD5DF0A474E5C47A05306CD3C
                                                                                                                                                                                                                                                                  SHA-256:DBA9B817AC977A09A7D3045026FB57802ABEBA67E31BD1C1BFCCB2529300EEE5
                                                                                                                                                                                                                                                                  SHA-512:5040460E4E307037C3442D432ADEC67869C02ED8BC99B55E4D5191E3DCF53C0AAC3FACEC1BBC84E74A237D6507FE43152DD2152363018F9BBA699A4B77E12C30
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ..............................).....@.................................>)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.874719627578481
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Sb1nWCXWr7Nyb8E9VF6IYijSJIVxnY3fHxk:s7yXEpYi60gxk
                                                                                                                                                                                                                                                                  MD5:B3ACA0F8C91EC33D1FB267FBF2DE120F
                                                                                                                                                                                                                                                                  SHA1:29EE280A3C25C7FCC75DDE7ABFB88693DD9AE46F
                                                                                                                                                                                                                                                                  SHA-256:AD8F66A8E2340499A3E2A885B8E9DB90A3125A15004CCE3B429E65C0E7DA9B16
                                                                                                                                                                                                                                                                  SHA-512:24F20FC78EAE801D5E0C3233043408922896A75EA6E5166F629545371FF203A6359555A68FF232C60544E98618BAA81494F46B578BD278461FC333CA82DC793F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ............................... ....@..................................(..O....@..T...............((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.774262964652296
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:/LyW7TWyDNyb8E9VF6IYijSJIVxRr9z6H:DfPfEpYi60y
                                                                                                                                                                                                                                                                  MD5:61C00354BE279E4DB20FFD3B5B326DD9
                                                                                                                                                                                                                                                                  SHA1:C6C9BD6E0970F123FC5CAFE714B768532791F5EE
                                                                                                                                                                                                                                                                  SHA-256:13D44BB25D9F5F27A3D26B3582A39A7C3896BEC2D54ECAB9C444F1CC6A4FE9CC
                                                                                                                                                                                                                                                                  SHA-512:3FFB5B41441894EABF232321932DFE746B968A3CBECD53E98BA96F630334AB3E4E2EF518125805EC831FB350F44B60F8328C3D57BFD038AED86507D702F2439E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.907819210404346
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:86Rb32WVzWwtNyb8E9VF6IYijSJIVx0H2:bRb3dtJEpYi60D
                                                                                                                                                                                                                                                                  MD5:92C3B5E46C974C9A12DD17F345F15A6A
                                                                                                                                                                                                                                                                  SHA1:641949D9C56F6B0B7866FD77C13B24DD760688CB
                                                                                                                                                                                                                                                                  SHA-256:99D5F16B1726D92FD674D66FB1F11FF89C33421866CC93326851FB2416F4B244
                                                                                                                                                                                                                                                                  SHA-512:08CE17508591BA7EFB6004986B69BE8CCE4B1FC12E316CDA3AD6E86EEEEFE1DA919396C659E9C4E201A80E6B52FE69AC0A391CFF5D100734218B63F614E90805
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................:....@.................................t)..O....@..P...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):31784
                                                                                                                                                                                                                                                                  Entropy (8bit):6.534970290410218
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:xu5I+sqOylryry8qqIfUc7a5eMEpYi60J5Q:xYIVBpry8qqIfUcm5eF76i5Q
                                                                                                                                                                                                                                                                  MD5:D594D9CD12ADEC6A44A7930F4E6E57B3
                                                                                                                                                                                                                                                                  SHA1:EC68E31F107BB911BC6799B66449BFFD02FEE686
                                                                                                                                                                                                                                                                  SHA-256:09AC1AF349902D72C2C8A5106EA75A3E00475E16A08A1ADB06E1923D30C9FEB5
                                                                                                                                                                                                                                                                  SHA-512:109E912D34FA492134A821F080DE97F614F672F3BBAFCFD85DB8DF13731E31A81F75D1FA12D5EDC5A4A29F1DCC2AF6792A6B20DA1D5EF7EC2CAC2BB1F2C98BCB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ..............................j?....@..................................c..O.......x............T..((...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.87608762940196
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Gvn4HREpWiQWtIANyb8E9VF6IYijSJIVxeWDaLt:ZS/I4EpYi60g
                                                                                                                                                                                                                                                                  MD5:9DE4F0B97176A6A5DFFACFA7D814AE5B
                                                                                                                                                                                                                                                                  SHA1:901344AB9C79E9710EBA25DB68D9E1528D81792F
                                                                                                                                                                                                                                                                  SHA-256:D77C918FFAD2F529CC8C154EB3C1ACF50DC542741BF7AFD9E70786FE81AE1B7F
                                                                                                                                                                                                                                                                  SHA-512:37AC428EDDFE7001A1490182DD79DC3F4830F2548FB3727E9F0F1D5224DB1DFA95988EB8284F39D29A852F9B552FB3073A8EA8C630770018AD7F88EA900E2FD6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................;.....@..................................(..O....@..P...............((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.766567453209908
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:38MjKb47T3UCcqFMkJ59WdtWcnNyb8E9VF6IYijSJIVxoI0F:sMjKb4vcGdO7LEpYi60EF
                                                                                                                                                                                                                                                                  MD5:E6089C386AA8BDF2C9240DF0098B0C41
                                                                                                                                                                                                                                                                  SHA1:5B4E1D708FFE66B2D4B86A765D063C7F4F3D39FF
                                                                                                                                                                                                                                                                  SHA-256:258FBB18BC7432053EDC7E098AFA9D0BB0A1068BB253068CD7449D87DD3C3135
                                                                                                                                                                                                                                                                  SHA-512:42BAC7E61967A57F41270C7F1C3FC48FAADBCAE207A54ED54D9E9BC5780C253C0A89F823DE5D222E51B82B2998748E7D9027944D269983FF9A18EAD7667D84E1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................3:....@.................................`,..O....@..................((...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.857184391871379
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:PzyNXd4+BW6FWqkNyb8E9VF6IYijSJIVxDYhPMu:OztEEpYi60cpb
                                                                                                                                                                                                                                                                  MD5:8D28AEDFA446EA70795D468AE16934D5
                                                                                                                                                                                                                                                                  SHA1:F1330A420CFF4FF24DBDF7E8378397FF80DF8A58
                                                                                                                                                                                                                                                                  SHA-256:7AE92817F37DD736529FB391768AA36F742E7BFA3D9082A2F244CF2AC521FE24
                                                                                                                                                                                                                                                                  SHA-512:0F8AA673889AD150A729D642CBA150FF8BF202ACBA41417F030CCB21922771C54715132D47CF814EF460FF199F54D645D2336C27CD37952ADB368C2FEFC9CE13
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................G.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.859931444896201
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Ivs2Q3HKJNrWWRWfUANyb8E9VF6IYijSJIVxm8Y5O6:IuM0xEpYi60PYc6
                                                                                                                                                                                                                                                                  MD5:25F33DFB6C83FCD0FC1DE251FE683DB5
                                                                                                                                                                                                                                                                  SHA1:790ED2654D3016B4470AF54FF8C5E2029E215B27
                                                                                                                                                                                                                                                                  SHA-256:409131B7270D31B1313182B2FB6D5219CE3DE607F0CBB82D98EC61DBB514FFA5
                                                                                                                                                                                                                                                                  SHA-512:BBCD6A5FDBF859F734FE65F57263AB9CE2586AD9228CAF4A4970F3DEAF0E47E4D65EC565356DFB78798F7C66DDA80535142746F9D51E5C230C5E89F81610AA4E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................:....@..................................(..O....@..4...............((...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.827015314349416
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:nFz0Q6gcqRhcsMWdMW+kNyb8E9VF6IYijSJIVx9Jtlw2p:nFz1c60EEpYi60L3pp
                                                                                                                                                                                                                                                                  MD5:3D71ED83427BF05AB130F4F29DA2D701
                                                                                                                                                                                                                                                                  SHA1:46604588D91D51387CB8801591DFB555E90783B4
                                                                                                                                                                                                                                                                  SHA-256:15927B1892031F463E8E4B45104A41FA7090A313A75A4CACD81B1D1D95918648
                                                                                                                                                                                                                                                                  SHA-512:B35AE26ED42F5347BAF878F4D5E2764C30D72A38E021E1E3467C67F6D849E928FC5563628FAFD5DDFB9F8F5DEDF32702EC23B30F8BEF10E5D75FBF314528615C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................50....@.................................L(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.723652389565766
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:X6xWA3W4aW/NWQvNyb8E9VF6IYijSJIVxIJz8dE:XaB/TEpYi607y
                                                                                                                                                                                                                                                                  MD5:6BEAC5BA1A217194D23572ECDDCE2759
                                                                                                                                                                                                                                                                  SHA1:FEC30E3B4EDEDDD668F891D3DBB6FC15BDAEE248
                                                                                                                                                                                                                                                                  SHA-256:7E085CC86E5B00BF8BC68F09C15F4B7866E38A15CDB1ABA4A32E0176CF40045B
                                                                                                                                                                                                                                                                  SHA-512:BD1D57184AE9E1DE828B36684694859EC1435BDEC7029F66FF06380FF3029344BC12EB7BA793F8D56E1903C3A593DD8A2796C81E57F6214318B39DD632DB9A27
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ...............................4....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):73256
                                                                                                                                                                                                                                                                  Entropy (8bit):5.9547665237514895
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:G784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nV:G7N1r9KGI04CCAskwV
                                                                                                                                                                                                                                                                  MD5:B9DA1FE2089DE0A8B1814F5997FC72BC
                                                                                                                                                                                                                                                                  SHA1:173B1F7C7408E94A76927CCFC1D53DB9518E0E4B
                                                                                                                                                                                                                                                                  SHA-256:2D080E6BBEBEBDC9F5D474B9595746F578B5451E2E6D24A10CDCDD216F57AC2F
                                                                                                                                                                                                                                                                  SHA-512:3F38C7ED3EE6ED7B3B699E2C0521A8AA34357E801AFDFD175AA47925EE8B1E75A9BBB8C3C2F2342862689D5BB18262776F35407FD766F4BE46F064AC54446917
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.853900301591647
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Jr97WquW6/Nyb8E9VF6IYijSJIVxkp9mGXZ:JRJKDEpYi60eF
                                                                                                                                                                                                                                                                  MD5:0C9A6CDE287F0B0C48902EA337CF7949
                                                                                                                                                                                                                                                                  SHA1:2074CD6D4642F0F659D17F923C9F84CC696D1F12
                                                                                                                                                                                                                                                                  SHA-256:B22D08A687ECAAB2E7475E9834560E2C4B00DC2BF0C7259CCFC81C44D2C611CA
                                                                                                                                                                                                                                                                  SHA-512:23567A5C1734E7667E4827049CAF6ACC1BCDB658895D2A413832C56E4C727E7BB120E1C8AAA4C66AC1CF21793A07E9F7F0237183FEA3763AC6ACB6506CDDDAC7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................2.....@.................................\+..O....@..................((...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.791351843410249
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:cvh2uxSleWLDW5wP8rNyby2sE9jBF6IYiYF85S35IVnxGUHFMsSAfy:O16eWLDWGoNyb8E9VF6IYijSJIVx4MK
                                                                                                                                                                                                                                                                  MD5:1EAD058E00ADC84AD8A50D569BA4521D
                                                                                                                                                                                                                                                                  SHA1:986087A3B7077DDB4F910D53F9E871A89E31D9E4
                                                                                                                                                                                                                                                                  SHA-256:3C9C5421BBB4324F0F6338882806A257F77965876F12824D43829EAE003622C6
                                                                                                                                                                                                                                                                  SHA-512:3B070330FCB4BC6C170C69B3DB0CA149C3CE8E81779F4B7254088DBC423A7E4D9E331F379467EE16E4DB1F8DAC69C223A369325707BFA0FC7B2301B23475FDEA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ....................................@.................................|*..O....@..................((...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16936
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7831784200733
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:C8G4YC2W+wW8WpwWU4Nyb8E9VF6IYijSJIVxP4AZ:tGZ5OwEpYi60n
                                                                                                                                                                                                                                                                  MD5:18280BC3C94A054A45628EEC1DF266A8
                                                                                                                                                                                                                                                                  SHA1:DB5C8F6578CBC9BA93014883C027C6A9DE777F67
                                                                                                                                                                                                                                                                  SHA-256:87CE63CAAA2B024E97DBD1861F13119C5378D3C3D4C0B76B8E6F66CB5FFBA5C7
                                                                                                                                                                                                                                                                  SHA-512:9A6BF6FA0DF136566AD596FADD206E9FC089939500543817D341E4E9A2214654AB87966D6F5E05B211482DBDAB2F8E222837014D685BE564622EA11E3114CAE3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ...................................@.................................z+..O....@..x...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.89811663827779
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:F6ziqTEkGWvRWH1Nyb8E9VF6IYijSJIVxKPUE:FYT1cREpYi6001
                                                                                                                                                                                                                                                                  MD5:B5573716CB6D73603A91A2DDD9417236
                                                                                                                                                                                                                                                                  SHA1:9647D429082395CBD82E71C7A4F126180591D1AB
                                                                                                                                                                                                                                                                  SHA-256:1B98B61E3ED9A990BFE7FE909ED154E743713202DCFA655B261E15788BE78605
                                                                                                                                                                                                                                                                  SHA-512:2BDE18B4A19AE18EA5F2507A0890CDB7B4E12C1ECEEA45719390CD8C0E86BF543174A10876195A9230B3D8A1D383A2C69B4C01CDA372FFB502B227170E53DE73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................E.....@..................................)..O....@..................((...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.810703111667448
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:DUv7c7iWNCWq0Nyb8E9VF6IYijSJIVxILSM:DM7c1m0EpYi600/
                                                                                                                                                                                                                                                                  MD5:A00D659894A0486055C5BBA1E09A5400
                                                                                                                                                                                                                                                                  SHA1:597FBEA2CB5249EE5AAAD13E3C8F6A347A70E53D
                                                                                                                                                                                                                                                                  SHA-256:F2F11E3A920361F15E107E5687E6662230DB520E196B2799BDDEED3949AACFFF
                                                                                                                                                                                                                                                                  SHA-512:BB0854D683871384FC3356740E5C54E3BB8802D63D4276E2EDE619C43F5D1E89792CF205B287FCF3D0436CB1B5607A081E81F4FE1FE8E389FAB8ABA563466BBD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ...............................v....@..................................*..O....@..................((...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.852365362100018
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:Dx+vxmNWnRW5TPMNyby2sE9jBF6IYiYF85S35IVnxGUHF8C8nXYhlbR:4SWnRWJ0Nyb8E9VF6IYijSJIVxITYjbR
                                                                                                                                                                                                                                                                  MD5:897B4ACADE1E98F8EF9DF939AFC19DDE
                                                                                                                                                                                                                                                                  SHA1:A46F642D080DF919E8523672F614A1409FED7490
                                                                                                                                                                                                                                                                  SHA-256:FEEA00F2A302198673766E25C042A007503B0B288FC9CE0E2F65A3EAC4CB5442
                                                                                                                                                                                                                                                                  SHA-512:DE35426A127F636A5CBC043428FF0E7C0623712F2ACCEB6EBEC8DD855B9BD14BAD5CF670B2D80B801C138E0CC928AE797BD1DFC38AB69ADE58E925A4E3AE66BA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ....................................@.................................L+..O....@..$...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):92712
                                                                                                                                                                                                                                                                  Entropy (8bit):5.483010862843941
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:72Ec05j4eAH64rh5fSt5T9nFcI94WYG76rF:KlK4eA7mDmWYGa
                                                                                                                                                                                                                                                                  MD5:7809B2A1A7F1E551303AE139883E715C
                                                                                                                                                                                                                                                                  SHA1:8BBB442FE28E28A4C499FF190E26AC892CB8AB1F
                                                                                                                                                                                                                                                                  SHA-256:9A79A4ED51DA46805218B6C0AC883D4DD7DB1CEA3821F169110B9F79DF8B1A0C
                                                                                                                                                                                                                                                                  SHA-512:70BC185D3BF9F31C94813359393E6595136857F28438AC98B5A85F84C3DF807F14B57E2F68AC499BC7E61855AB9CB32EA082532449BEB6AFA9AC3BF9B7D1E278
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ..............................4.....@..................................U..O....`..,............B..((........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3024123
                                                                                                                                                                                                                                                                  Entropy (8bit):7.999926956152327
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:49152:XtwldCigFirCUvd1LJoZSrfzWZWrOwv5l10jYQMFsin5tKfgD768LjNx4dOOPHT:G4igFibvL1yUROkf1a4Cin5t6JKhOPHT
                                                                                                                                                                                                                                                                  MD5:384D6DA5C34FF401B18F0AF41E3A2643
                                                                                                                                                                                                                                                                  SHA1:3DDFBCF79E55904DF77DF2125F2112CFE7703EEC
                                                                                                                                                                                                                                                                  SHA-256:0699C4CCAA2F9E6768475F7FBD0DD93DAB1A0A0DC8859E9EE8F8A48AD1075D7D
                                                                                                                                                                                                                                                                  SHA-512:5B63245BEDFC7260B27254A33F621A8B626A36C13C8F8AD516F51013BD6751770D37AFDC1FF8F7646D9F972081ACD24776314405CC397762A4F58D6DCA0A7F32
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-......<fY:'zY........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....(.......%n............a....^&....#..<[.. .o>2)....W.PlphQ..%We....2...~L........\..1,5.1n..P{=I..9..|....:5-b..J..^..J...}...C:.....kA.G.Q.B....Ee....f..v+%.f....2......)cd........DJ.W'..D,...u4`e.t.u....B.c.T...u.;.v.7.Gs...+.1.%..C.ma.a.9...2j).......v.p....Z......I...,ay;.k..<...=[p.......NB.<......u...C.2..|".d.j......#?..1...]Z... ..%Atv....z....s.IH......R.....Rb.....EKM9...l...EA............R.....5g).......'S..o.(......|..oa..<.".z ...Z[My...`..s...3.v`M%s...fW0J..aD.-e....3iUQ~)s.<*7..{..3..d.<G2_w.7...Tz..k.)w.RR0.6*.0Sl.....3..F8..O..g..E.ahr.C....^.BPGw.Z"#?...l....X..z..o..B..K....R.?..`..>Bz..;0V.>.<.+.J.4/ ..V".4..~xl..F..,.qN..mQV.C..z.H....PI.'t\z~..E.>.|.9..<..W..Da..X<.@N.A...........<.$..G...$...g\(..._:.....{............".g....MX&.^......O'm.5..J&..G]XK.y...*y......Y.*.on.~....$*J.'..|....l......1.%L\.1V....*......._...g......<.EG..9.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):56872
                                                                                                                                                                                                                                                                  Entropy (8bit):6.184385666278393
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:pQG8WGQaZZdCf1LJiuyljLY+z/VyGICVbxPuYL4qtbeBtYcFm7B6K1oEpYi60CE:pQQx4L7VSybxiqt6xm7Bl1R76E
                                                                                                                                                                                                                                                                  MD5:A739B889642CA9CE4AD3A37A3C521604
                                                                                                                                                                                                                                                                  SHA1:18BCF6FD14C5AECE67AE795A3C505A0C1A9D5175
                                                                                                                                                                                                                                                                  SHA-256:44B96244B823052FB19509B1F9576488750C4EDAB61840AF24B10C208B47FC92
                                                                                                                                                                                                                                                                  SHA-512:92243E80FD77B9C3F9231C750935B34D9ADCDC76E1A45A445C47888A1E98FACA1C26F617459DB0C1AF4860A5172401F03E64039888E6F84726D2457CC550BAE0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+g.........."...0.................. ........@.. ...............................B....`....................................O.......................((........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Q...k...........................................................~....(....-..*.(....,..*(....~....(....(.....l(....(....*...0..3.......~....(....-.(...+*~....(.....(.....(....o....(...+*..0...........(.....~.....( ...*..0...........(.....~.....( ...*..0...........(....(......(!...*2.(....(....*v~....(....-.~"...*~....(....*...0...........(#....(.....o$...(%...*.0..g.......(&....('....o$......o(....s).......+......O...r...p(*...o+...&...X......i2..o,...o-........,..o.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1251
                                                                                                                                                                                                                                                                  Entropy (8bit):5.000868036244702
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdszvPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3sB7iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                                                  MD5:16D1DF732FB7C3FE51EE9657C5AC458C
                                                                                                                                                                                                                                                                  SHA1:32CECF6AA8A03E11A967D54C67F9404F6A73D57B
                                                                                                                                                                                                                                                                  SHA-256:4FC493DA952DF0968311A06FAC3A5D03FBC2351DB77D0D907A1FAFA4ADA08777
                                                                                                                                                                                                                                                                  SHA-512:1F33ADA48F1ECAFA9238B87A8743C0A92953D123A917E38EC9F7EA7B92A7514AF6F244E4E3F77141D9ABDC11D120641FBDE9318525E0C3F2DC16F6E1D91634C9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <asse

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhXTLV:WBTh
                                                                                                                                                                                                                                                                  MD5:0A4E3CA227D7488A6D35CD34C996A112
                                                                                                                                                                                                                                                                  SHA1:EAA59486A0A1C4C90F6CCE96879EBEBFC42A2CC6
                                                                                                                                                                                                                                                                  SHA-256:8863E1E0D918A36F4E570BFDA20316AE5A131FE3EDE970A83AD704059F5A2743
                                                                                                                                                                                                                                                                  SHA-512:400C3A3112AAA18027C47B5370BCEE535F8CE82B945DC96E16B81A99DFC8BEF6C0C996E363AB67336D746A602A3CFD70B989017497A1E55AF7663A336F5D15E8
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=26.0

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):112168
                                                                                                                                                                                                                                                                  Entropy (8bit):6.178091158418056
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:fgs5os2RUW33uzNrscqSofyqwshFDfuX73QbQgLb/xs8bRUi+kEWWdK76tUn:f0jjnl1wuDYjQbQgLbZs8DWdKp
                                                                                                                                                                                                                                                                  MD5:524644D07DFBB5BA00BC10760ADC1A26
                                                                                                                                                                                                                                                                  SHA1:09F5FB63FCF2B98CDDE49C08C7F00AA1F5D736B8
                                                                                                                                                                                                                                                                  SHA-256:2A4CC462C8D4132D3E790225753250004BFB853D44C16DB9847D3259A31F72A5
                                                                                                                                                                                                                                                                  SHA-512:311657CF4C66771285DA324C0D3D669134994A1C15CBF6BDD93C9823F629F846C4BF82CF890B34055C213B5D0B0EAAFB94DA2A6B02BD46B85CB1CB8DA3F00489
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.g.........." ..0.............b.... ........... ....................................`.....................................O.......8...............((.......................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................D.......H....... ....!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):38952
                                                                                                                                                                                                                                                                  Entropy (8bit):6.310416565021442
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:MINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgF:JNsii6v/HS0+OJd5gpKm76tgF
                                                                                                                                                                                                                                                                  MD5:AD1B43C318655C7B1718650CE2363B31
                                                                                                                                                                                                                                                                  SHA1:7F79895F5EFCA53625077B77A3A706FEE84AC8B2
                                                                                                                                                                                                                                                                  SHA-256:BC8DCB5453165431C14E42D8CC625B110FD1FFD2262A264B89E2B5919221E11C
                                                                                                                                                                                                                                                                  SHA-512:66D59A88B8D2AD20CED038FA1B21C8EBD5C05EE12488056EB375BCBBA9350A86E6B75C2BB96B6EFFA37F0DA4DBC92D0950F29DBC6383E93F45068180E104747B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ..............................u.....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):398888
                                                                                                                                                                                                                                                                  Entropy (8bit):6.134241628993444
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:UjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvZ:U+e55LgIkTmyAAfTnMLvZ
                                                                                                                                                                                                                                                                  MD5:6762019C89413E273B65BBDA0DDA1F33
                                                                                                                                                                                                                                                                  SHA1:3827B82672129D766441EE3A888FB20A214C9166
                                                                                                                                                                                                                                                                  SHA-256:0549B79D915012B84C8D2BB64CD5D5177BFF3CBB559EE25553F3728A8CF2FC61
                                                                                                                                                                                                                                                                  SHA-512:FADDD66A71B54FFEB1408BC740C85B57BE6476B79D5B2E048703B75D7450A24FC3B0F4B16383D0736A6AE5F29FECD95EBF3CF903093E411B6A97EC49B9FF725D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......>.....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710184
                                                                                                                                                                                                                                                                  Entropy (8bit):5.9605882988703245
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:1Bja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUD:1Bjk38WuBcAbwoA/BkjSHXP36RMGq
                                                                                                                                                                                                                                                                  MD5:71C0AFD3A6612415A6435862DA08D819
                                                                                                                                                                                                                                                                  SHA1:B4C3605A5C2FF30737818B6EE5B3C18E1CEB1DD0
                                                                                                                                                                                                                                                                  SHA-256:4285095545443E727BCF3CA4BEEDA95AC3A3F285C12DBFB9604582BAE1CB7329
                                                                                                                                                                                                                                                                  SHA-512:7BD7871354FAB8A20E1BC7A49E295E11BA130571A9F964671FF4524556D79A3B6AA08A48068F93F48914AB9EF5396E0F35A75F3579C2B0B64C698203FBD98E22
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22056
                                                                                                                                                                                                                                                                  Entropy (8bit):6.675518692328492
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:gy/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqS2:guhMaVmzDC6k0EpYi60H
                                                                                                                                                                                                                                                                  MD5:EA6DC0FE3F04F7FA84E1D85C8E22A9F1
                                                                                                                                                                                                                                                                  SHA1:0DB3F1C2BBA5AA577C25A6DF1CA0968C161EA4FD
                                                                                                                                                                                                                                                                  SHA-256:75427BEBAEA898009A0C375AC78D2D5B85ED8D82FFB47B2F426DDDA53488084A
                                                                                                                                                                                                                                                                  SHA-512:11FE2A6285690537553A7E3EA5B8183CF9ECE7F518F56095F91E1CA5CB5377BCC12CE3D64EFFEF83411CD0CADD6BC9B782B0E621FBF323B394644B2D03B355D4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................2....@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):64040
                                                                                                                                                                                                                                                                  Entropy (8bit):6.26683606308263
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:sYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zv:sKC9niwOepJ6TJPeb6NIUFg76Kzv
                                                                                                                                                                                                                                                                  MD5:89B48C386D60FBC7D9D3D8763B8072D8
                                                                                                                                                                                                                                                                  SHA1:BAFA1A4BA0A9851AE946C33C853CD9876ADF8547
                                                                                                                                                                                                                                                                  SHA-256:54121CBE1846804602A349FD840A9AD5156AF4C4C5CA3156EEF0485E66A11D27
                                                                                                                                                                                                                                                                  SHA-512:412CF12794691E760078E7FA51DDCFB53259FE1317B54656FA3691CC2A6470E2B76FE6F6399B7F23DB03C40C064151B1CCA44DECE66EFB85EBF7FEA93233AC10
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@.......v....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138280
                                                                                                                                                                                                                                                                  Entropy (8bit):6.17880192184794
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:mP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHW:mh0qjC5RMOHO420kN19
                                                                                                                                                                                                                                                                  MD5:70B39FAB40BC008A02944BE1683A6E14
                                                                                                                                                                                                                                                                  SHA1:D8024C5444457ED030237B8BF208344A01783366
                                                                                                                                                                                                                                                                  SHA-256:2F106177FDCE0FC2DDD76E3D594784673B8C5F5770F829FA4A804ED3D6095D05
                                                                                                                                                                                                                                                                  SHA-512:F2F023D79126F2EF57284709F81D54F8953DC8D95A325A1EC68DB3EB3776C9CF150BDFA741C8473946A1A00D337E4AA3E10E9756508F424E75DBCCF22C1D6B9B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`............@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6371360514611695
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:iTO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08e0:iCn6xYEpYi60k87
                                                                                                                                                                                                                                                                  MD5:420069A4BBE2752182591DDF01D72133
                                                                                                                                                                                                                                                                  SHA1:40001DB247DB85C1FCD1C8BE9E5ED7534BE888C1
                                                                                                                                                                                                                                                                  SHA-256:31CB62AD3CA98187D24183A4A9B6C91BBF3DD345A344F3152DF974EA6D75B6FD
                                                                                                                                                                                                                                                                  SHA-512:476046825D7731FABED1C7F4317A874DA1BE5F237CE44587EE157B25FB24588F57D14F15041D82A23354802D587414206C195F6CD4B3DEFDB3431627595F936C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):50216
                                                                                                                                                                                                                                                                  Entropy (8bit):6.207311639251304
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:39m7rm+YASu8B7i8d4g/eDEBHqLxAh7f61IkBnCqbC2WEpYi60hx:vzB7zDeIBKtAI15Bnu2X76u
                                                                                                                                                                                                                                                                  MD5:B950A696F021C3959CC6A057DDEF79FB
                                                                                                                                                                                                                                                                  SHA1:69E192D4EC941B4F7CEFEB1877B619149B5AA7AC
                                                                                                                                                                                                                                                                  SHA-256:CA64A8CBD3E49BBD47F1BDB5FB293E9856947AFFD38DF6AA31587C7C652BEE6C
                                                                                                                                                                                                                                                                  SHA-512:C1A3AC50CE2E989686F8238C87B02CA8EA7FFF10631E0538FC7B0FD1E8F5C70C3E72EAAB51F392CBD0DA110686EF891FD5497F55F890749BADD0170136800E36
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[]..........." ..0.................. ........... ....................................`.................................E...O.......................((..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................y.......H.......@K..Lf............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1140
                                                                                                                                                                                                                                                                  Entropy (8bit):4.958392223272386
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JduPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:327iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                                                  MD5:082A70376537A2E9B0BD9DFAD8D2496D
                                                                                                                                                                                                                                                                  SHA1:1B4A667CFB09D050614149D6FD8A283071DC890A
                                                                                                                                                                                                                                                                  SHA-256:50934981FA1B0066B22261984941887740838459B5CFA06846BA15F39B4D10F9
                                                                                                                                                                                                                                                                  SHA-512:763212C74B6AB727C6E2C19CA2CDFC547B357BD5E1E5C196A3A2598DCEB316D3C8E8554A7EDD1AFA99FD38E1153EDC383631D2755BB31E70236084CF27C49875
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedir

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):6655016
                                                                                                                                                                                                                                                                  Entropy (8bit):6.267124988963532
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:XCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIjA:vlV1qKpkfqbjeGVr4NHYJ60iA
                                                                                                                                                                                                                                                                  MD5:C92C6FDD6C8D332F2549CBD0246E00E8
                                                                                                                                                                                                                                                                  SHA1:000A23105DA6036C0F0F6BE078B1DF1362A80017
                                                                                                                                                                                                                                                                  SHA-256:5E2DB8CDD4607D548B8A079A9C4E475C830FC28BE99587495FA018C17161AB3F
                                                                                                                                                                                                                                                                  SHA-512:94F9A86402CFDECD62B667C40F43513BA66348F3CE1AFF5A392DCD59E4FF952AC403F5DBD9BFB9115824ED1D3D281BDD79539AD22DC9105D4031FE3F7EDE4F96
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e.....e(f...@...................................c.L.....c..............de.((....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):280616
                                                                                                                                                                                                                                                                  Entropy (8bit):5.690702355916042
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:mG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhC3:mJrycoB3HVeESME3pnaVTS1nh7hCaG
                                                                                                                                                                                                                                                                  MD5:12DEA6200DFF02423B75E3BCDB989844
                                                                                                                                                                                                                                                                  SHA1:4181D3DFD7B01C6E918E7627C9A781745D1359F9
                                                                                                                                                                                                                                                                  SHA-256:E511D5AC445A9712EA9A3125CEA961F3EF91E52074DD2EFF422F774B47C19C64
                                                                                                                                                                                                                                                                  SHA-512:32651D140AEC8A0BBA35CD81B399516A7FEC3B9E0715C70F5F566F9A0BFD997303B46A471F06DA1D4FA4096387BDC3EE7C23FFB312713FAF72A8EBE9014D315D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`.......7....`.................................h...O.... ............... ..((...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1185456
                                                                                                                                                                                                                                                                  Entropy (8bit):7.999660178690134
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:24576:Ssoja9MaLduouhVlf0tyv29r1+IdjkaCgs54gvUokF4fEFBb:HoFOJuhV+tyor1+I+aqdM2MFBb
                                                                                                                                                                                                                                                                  MD5:6C6F85E896655A6EB726482F04C49086
                                                                                                                                                                                                                                                                  SHA1:2E0C55CD4894117428B34D21A1D53738FCE4B02C
                                                                                                                                                                                                                                                                  SHA-256:E109400A93FEDE90201BBF37C1868C789888BCE9D03A4AE5B46C48599939C34E
                                                                                                                                                                                                                                                                  SHA-512:B58303C149DEFFC9E374D5BA42A8A73B7CE890D35F9589FE0B09ACEC541A21D589D49FA5086B965277FA22DFE308357505124F13A6FF1E0DE415EBC40CE61E15
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-.....J9rX...........=...AgentPackageRuntimeInstaller/AgentPackageRuntimeInstaller.exe....0........g.........^ ....,/_.U. *t....H......Z.X..x#...?....(/.EH.....r.l#.6.......76.b....u',4%.Y.br....W..VcO..[b/.....(....."I..u..S*....../.x...j.5.<b......n.v0.. z'M.....w.. ..qu.<...w...[...9....F...D..+....o....!..1I...^=H1.{.:=\...#V.]...1..)F.s":$.g.H.p.'^....K.F...3..}.......[J....xD.........._RB...... \=b.<.u 1k.Y....&.X.).`>M9.$H.].>t..^..!....}_.H.....h....uT.q..cJE.M... .QG..+?.gZM...G.9x.T.q..U..... X.s.....{....F.G$..$.A.n..jz]=.qi!U..4.>.e.7"..].O.F..XdciK..d_0..H..7rHd.jj.L.v6.< ........2.8....8.mc_.(!...\u...mY.........tv.e..,'..E......l..s`... s...W.Sx9b..Dnc...!0_..T.y..%r..{..E;....v"ce.K....{...).B....:N.H$..h..F.......Y.8k.....M....~9..X-M....f>~t..*#..R......6M....f....>-b.....W. .S.WO.c".>.....+iR..w~.u...6../..J..^&...K.BcQ.Fy....<.O.......P..y..#5:l.4.......~........g.:W...1.p7...K...n{.9~..c.h......NT.5...w........?_>XJ..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):55344
                                                                                                                                                                                                                                                                  Entropy (8bit):6.139210251385105
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:N2Xj3YqBmARWhNqjxcVqnOvdBsqW/BCiFl0scb/MV7Hx/:wX5BqSBjb0tb/MVJ
                                                                                                                                                                                                                                                                  MD5:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                                                                                                                                                                                  SHA1:76A6BFD488E73630632CC7BD0C9F51D5D0B71B4C
                                                                                                                                                                                                                                                                  SHA-256:2A0EAD6E9F424CBC26EF8A27C1EED1A3D0E2DF6419E7F5F10AA787377A28D7CF
                                                                                                                                                                                                                                                                  SHA-512:29C8AE60D195D525650574933BAD59B98CF8438D47F33EDF80BBDF0C79B32D78F0C0FEBE69C9C98C156F52219ECD58D7E5E669AE39D912ABE53638092ED8B6C3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ......o7....`.................................X...O.......L...............0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........K..|v...........................................................0..........s....(......%.-..( ...+..(!...}\.........s....s......o...+o.....=.r...p(.....(....(.....(....o....r?..p(.....(.......,..o ....*.......4..A.3......4.@t.......0..8.......(!...("...(!...(#...($...(!...o%...($...(!...o&.....&..*........44........('...*..{....*..{....*..{....*..{....*..{....*..('.....}......}.......}.......}......}....*......s....*......s....*......s....*......s....*V.('.....}.....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2010
                                                                                                                                                                                                                                                                  Entropy (8bit):5.013965898836397
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:3rrb7O7Rgdp+1/gYoSagFsg+w3Sg+Cag+XgjdgDt:7rne4wCNj
                                                                                                                                                                                                                                                                  MD5:0B17B3BE9B3A6F6879998D280941DE55
                                                                                                                                                                                                                                                                  SHA1:EDE825B51EE11AF7C9221DCE596BB969CD068529
                                                                                                                                                                                                                                                                  SHA-256:1D69336E421C535CECF2E0326BE39B44EEC8EA39754AC8E855D8E0368E0F4619
                                                                                                                                                                                                                                                                  SHA-512:06D9CC03B8F7295A6E02376159EA96A83CAED4B584769370C0BF365B25D29C883BA5C8359CFEB7316D13C93B49FD37CCA267F6E7931220CED71435E1F4B639C8
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11
                                                                                                                                                                                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                                                  MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                                                  SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                                                  SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                                                  SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=1.6

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):93232
                                                                                                                                                                                                                                                                  Entropy (8bit):6.195903304850222
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:zSvbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hx9:zS8UMW+BV5M+5Nn0kom/RS3
                                                                                                                                                                                                                                                                  MD5:B969BFF44179BF8A3584EEB9E026CAE1
                                                                                                                                                                                                                                                                  SHA1:DBA7A528F51870B89AED549E81EF0660F43B2943
                                                                                                                                                                                                                                                                  SHA-256:5EE05D3796AB12ECF7F2D32D48D41D2A2A3FD257AD8456A0EBD5E6019492ECF1
                                                                                                                                                                                                                                                                  SHA-512:F0643905258D2C09CA0A6C30A0A9AD5AD2FE184A65B7FFA5B7B731FEE8357672B35246626A10B39DF7C18EF1B75328192495685DDF9CD2F524E913D6A2993E18
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ....................................`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):95280
                                                                                                                                                                                                                                                                  Entropy (8bit):5.998418289121845
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:6iLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7HxlF:/Z0PMcjrgF
                                                                                                                                                                                                                                                                  MD5:3AB0B86F5D058374AC789F05FB6C6E81
                                                                                                                                                                                                                                                                  SHA1:4C8142A6EA10F48735429B125ADC278178FA0082
                                                                                                                                                                                                                                                                  SHA-256:5F773968BD0501D91C4AE1339D248B4F766C39885B35088953AFB1BE6FBCC4E8
                                                                                                                                                                                                                                                                  SHA-512:1A6CC62361FDD20A99D9551E677269D9D67B6F4B66C09083E07AE5732C23FFE15A5E687437A16A27896A19DECEB9F23D7614B6CC44445C365E3A59DED1AEE6E2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ..............................P.....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16432
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6559468525212
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:wXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl55qz:wXh+tYmNyb8E9VF6IYinAM+oCaF5qz
                                                                                                                                                                                                                                                                  MD5:8E2D0F47E477FAE8132492A31B26F1B3
                                                                                                                                                                                                                                                                  SHA1:6C3EB7CB1D5E942DC6A62767A701D201E2F69CE1
                                                                                                                                                                                                                                                                  SHA-256:7C8CD3B61286AAC09534541EDBFF10618938236830167581BD3E922CA55A1456
                                                                                                                                                                                                                                                                  SHA-512:B40EA70361F5AFCCB3DC41D38A4F302AEE00B9AAC206AD2DFBD1591A7722AF732BC820C3C66EA3BC0816D4C98E364D1345077EDC786ED19135659AC91E0CFC06
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):75312
                                                                                                                                                                                                                                                                  Entropy (8bit):6.23943595769723
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:Tu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:KF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                                                                                                                                                                                  MD5:D5B69F2C4F5CB0E7D43D7F6C1C87DC7E
                                                                                                                                                                                                                                                                  SHA1:98FDA78C049D650E47C17D9072E82D87C1B59E9F
                                                                                                                                                                                                                                                                  SHA-256:6C1325D183C7CC3E516628921005F18BB5A191B0029AF93DFB022CA4C2ABBAE9
                                                                                                                                                                                                                                                                  SHA-512:D95C5CD5E9DAC57FA9C5DE8645F637363A5E787A8C521B09BFBEA56D01765F4FC31E4080BDCAD28BBD90FDB9BEE1CAB50E95FF13CFAC728405D87C3EFE3A387B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......w....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):52272
                                                                                                                                                                                                                                                                  Entropy (8bit):6.4113040933608225
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:TQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAMU:T9ML8LW/usybGYVE8mZw+89Wu1e7Hxav
                                                                                                                                                                                                                                                                  MD5:94B12931B9032E80157DC27422393FEC
                                                                                                                                                                                                                                                                  SHA1:2B762FCA27538B55ACF736F7D65E293E5F15EAEA
                                                                                                                                                                                                                                                                  SHA-256:746AD9902D9310CC2F172736AC156018ECD3843BA58C8337DE017074B06CD645
                                                                                                                                                                                                                                                                  SHA-512:D943A39FDD74627514818DAF3434BD1ABEB4EE10077E8B10414098DDA2972851795A15CBD4CAD73A67D5171446E4A6D844CDF8BD705E72F34B7DA16678097BE9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ...................................`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):398896
                                                                                                                                                                                                                                                                  Entropy (8bit):6.1343664856235245
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:5jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvM:5+e55LgIkTmyAAfTnMLvM
                                                                                                                                                                                                                                                                  MD5:FACA1B5218F8EB76963366A6842E122D
                                                                                                                                                                                                                                                                  SHA1:41B281ABA7D7FE994EE6C77F7F71042885919EC0
                                                                                                                                                                                                                                                                  SHA-256:D779F3514666734455B5B2B7AEB035F7E1D7394CD445E332DD4D236E24D5C94E
                                                                                                                                                                                                                                                                  SHA-512:8F350CB3D0C13A701C67749E103B1E07EE1E2EF8EFE71B70CC728F8E21DC02922BAB241CA256695DAC9B225D450623E9F8DA055EA062E336D7F1CD9D2A3FB6D9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1409
                                                                                                                                                                                                                                                                  Entropy (8bit):4.992215339808616
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2dNQjY8L2PRRkMYaWcvJ9AwcPGnJg8vQpyriEWZoEs4h:cb8MRRkMVB9AwVbIQdsoEf
                                                                                                                                                                                                                                                                  MD5:766E089F9AF0DAD5BFD8B77167D1E0FD
                                                                                                                                                                                                                                                                  SHA1:0AD55E6BA596EFEB24867DC9FDCE4B3D2F2D904F
                                                                                                                                                                                                                                                                  SHA-256:1D95ED644BB7D706E5B8EBDCB875B23F8B21C62C53C701EB8B3385F770808D7E
                                                                                                                                                                                                                                                                  SHA-512:FD8ECF32094577A51579911AC3722D839A7B0874146B909EB8DC944CDB5DA459BFCF7EB64B47EC08F40515E6C38B4C4CBA1F4D9F9EB403E891A8710310DBAECA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd".. autoReload="true".. throwExceptions="false".. internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">.... optional, add some variables.. https://github.com/nlog/NLog/wiki/Configuration-file#variables.. -->.. <variable name="myvar" value="myvalue"/>.... .. See https://github.com/nlog/nlog/wiki/Configuration-file.. for information on customizing logging rules and outputs... -->.. <targets>.... .. add your targets here.. See https://github.com/nlog/NLog/wiki/Targets for possible targets... See https://github.com/nlog/NLog/wiki/Layout-Renderers for the possible layout renderers... -->.... .. Write events to a file with the date in the filename... <target xsi:type="File" na

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):883760
                                                                                                                                                                                                                                                                  Entropy (8bit):6.071504659955744
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQJ:V1n1p9LdRN39aQZUqM
                                                                                                                                                                                                                                                                  MD5:17A183A03C34B8EC1C91B3DD0B50E022
                                                                                                                                                                                                                                                                  SHA1:7D226520BE51BD71D05D7EB56793233794F87DA4
                                                                                                                                                                                                                                                                  SHA-256:381278035C5A8A4668D31B12F0BF3DEC6544E9668FED84DA038A8D21D233D72D
                                                                                                                                                                                                                                                                  SHA-512:AD5591F6B90A07C00F10EF19231BB3C766E9E27C2205AB3A32C15B7D0DE0F732A5600665E4302290C771F06370B23E4FF0AC63E51C1F36899F98CCB6BD5F8C01
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................;....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710192
                                                                                                                                                                                                                                                                  Entropy (8bit):5.960370699367048
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUW:hBA/ZTvQD0XY0AJBSjRlXP36RMGj
                                                                                                                                                                                                                                                                  MD5:53D8AD0BCDED36C2EEBD4D3C45A60BD7
                                                                                                                                                                                                                                                                  SHA1:9289840CB0518AF183BB41AB05428A6415B92AAE
                                                                                                                                                                                                                                                                  SHA-256:07A068EF96EE5F447282B42B1818FDFC372B674893E6742A5F83DDBC4DF13ACD
                                                                                                                                                                                                                                                                  SHA-512:41B19112B6CCE405E16153354223F4AFF548E9F55EDFDC158588E78D9EAA755E10865D7220B916EC14DAB4181C55C005B161B44AC011419EE85EFF5F65975523
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):284208
                                                                                                                                                                                                                                                                  Entropy (8bit):6.11766612253341
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:IZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHex:Ogo0WPVTXgk
                                                                                                                                                                                                                                                                  MD5:D1BA01295CAEFA1F00261AAA943FFDBC
                                                                                                                                                                                                                                                                  SHA1:54BE9D6F121721542E1B563804766592C9EBF14E
                                                                                                                                                                                                                                                                  SHA-256:F425945B4D1BD5D65776EE4FF4330F33947692EA5E797EDA3103B6E380196BAF
                                                                                                                                                                                                                                                                  SHA-512:DFFE1F15F635FD9C083B51C66DBE5C5C9B16516B8CA036B262765279FBF01FC521D10AE31288CA3FB5DAD4F8B6E744DDA33FB8698267C40970DCA9409178E067
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22064
                                                                                                                                                                                                                                                                  Entropy (8bit):6.678784612747097
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpx:tuhMaVmzDC67EpYinAMxCJ
                                                                                                                                                                                                                                                                  MD5:35082EAB5825C9A9D021B5B97BE382B2
                                                                                                                                                                                                                                                                  SHA1:4716CBD843C8A2A1AA7ED7C95700672E9A863674
                                                                                                                                                                                                                                                                  SHA-256:B91E3FA4C89230B668EE2DE7D6824DAB708B981F1AE94E734445154BC8A3F6EC
                                                                                                                                                                                                                                                                  SHA-512:9F0FFB52E060910662AE7AA020AE836119BC609B3E0E9367C7C9D2F2975FC1DDEB1EC1B2F708704C22D666E778B787679BEE5A3CAB5868C09CCB5B57C9026BA2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):97328
                                                                                                                                                                                                                                                                  Entropy (8bit):6.2419469146373485
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:3NSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxQ:3N3OWMsQ56vd2s+KuYc9RTJa
                                                                                                                                                                                                                                                                  MD5:9F59EFE4EE7BFF13F5866311048A6A80
                                                                                                                                                                                                                                                                  SHA1:1F20929EE2BCC0BE40848CC739C6F31CAD13DA69
                                                                                                                                                                                                                                                                  SHA-256:32FB947BAD722480938922DC363DB76AB0079383C6D732B4998C302B03D87200
                                                                                                                                                                                                                                                                  SHA-512:CCCAAF2396AD1307AF0B51B424005BFB350508059CD9CF3E9641D396CCA3EC4C22EFB0329DF0AFD0B3888E07559B6904A0361B85A80A527CD3139161CFF91DAA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................P.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138288
                                                                                                                                                                                                                                                                  Entropy (8bit):6.17954530016547
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:G3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnO:U0qjCSRE+fw0kG719
                                                                                                                                                                                                                                                                  MD5:6D055BBD0463057997B216FA41FC1BAA
                                                                                                                                                                                                                                                                  SHA1:0E3B5685453BFE674252EEFE7B29DDFFE3394F36
                                                                                                                                                                                                                                                                  SHA-256:94571C1156471E113A0BA58686D0E0F8C8A18B7F5415A17CC00688D6901D6DD6
                                                                                                                                                                                                                                                                  SHA-512:D3D1FB3588D4AE7279244086069DEF2145FDD341099BD66B801CE1F7EB18F4F68B0043D3CF4BA5C8FA3FA680EF228C3371743AF1E9DCAA64711321EC6A94FCEC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......\.....@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17968
                                                                                                                                                                                                                                                                  Entropy (8bit):6.673983708245621
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Oh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBhKr+:Oy9eEpYinAMxCAcr+
                                                                                                                                                                                                                                                                  MD5:351EE6E0FBE6951D43F195DBFD34911A
                                                                                                                                                                                                                                                                  SHA1:2FAAD5BD1D08D9791C941F6F01BA41473C12DD1F
                                                                                                                                                                                                                                                                  SHA-256:8B4AF4380F5083A9DC11F5E74FEA942A34DE4AA3740EE0DBCEF92A95AFD656F6
                                                                                                                                                                                                                                                                  SHA-512:00A0600E0E4541058B8FF5A7314E0C2779B5BA5E3F9FBE9F15556E84D84D8B3C0317116B29A832CB038457EF6CE1FA88149C18E7DD33D27A3ADD3AFFAC5FF9D7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):342865
                                                                                                                                                                                                                                                                  Entropy (8bit):7.9992844075056935
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:6144:9nQP7HqdkykjdqfvImDTIVfygNymRsl8aejvq13W/V191OQB6MBsUUnf7spSg+V1:9nQP7Hqdk/pqo0IVfb5na9Z619MQBxu9
                                                                                                                                                                                                                                                                  MD5:B3E14504A48BED32C53EC7AAB2CB2C8F
                                                                                                                                                                                                                                                                  SHA1:0BC0D486A5ED1C4CDF2390229883ED3473926882
                                                                                                                                                                                                                                                                  SHA-256:ADEA6001759B5604F60BBAEC8CE536A1E189ADEBC7394F9CFF3921CAE40C8C9B
                                                                                                                                                                                                                                                                  SHA-512:E5A5C09355EB9CB45DC872B59EDBD54F62F15445CA6CAAA3187E31E7928EF4453AE8405D9EEE5D2AEC4FA34965D3006DCF61C060B8691519A2312382612C683F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-......i/Y.h.9........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....0".......p.......(.|Le....r....W..........'.-._.{.a.b..-....6u.#."'+.u.9...B..n.....>!(.Tzs4a.g?.....{...J}...v..?.Q...........0.P..m.....2^...X..}k.....VU.HY.*.sZ..Y$H..j.g..p#...9..f/*.8...(...w...a.&B.`.bV/g{.....0.QRH.J.E.c.m.}!..T...N..74.r.*J...u,....\7...o...~.....>`X;.2i..g.7.^0..R0[P..."..7..t.d.........!#.}t..G.%7"p.jnG....(..Rg.K9..Z.#...w.4.351.......-.....v&.t.g?I.pA_.J..`..p,.....4G..h.D....d.:s..H..c....l-y\i.@.....lr.$..LC..._.<W.>.(..0B..rz...... V......v.{"........=..zSqA5.-..2...!.>..rB5g.....Tq.....!8\.S#.K.N.l[...L..|...i2..3pp..2'...Cx.@.<..q.\.<..J....&.\.X....mk...ic.....F.@r..^.^e.?....l#.9..Q..g..7a|2.@.g.h..:....|8...{[..N)~...6..i#.q..F5W.dK<.C..Wm..[KPI.......h.x..SO..m......6..*.........G.TS..p.Z.@..dx.N...\...OmO.Ho.l.^.#6.8.:eM4`...).yU....W....C.]......f.2....:...m;r..;...[...:D()2"....Q!S..ik5.../t.V..:s..f.a.V...}ou..o...j....b.....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):74288
                                                                                                                                                                                                                                                                  Entropy (8bit):5.498724993681897
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:y5TTyapvW7AM3ushkm7Xv2piJQ+VASa0oJoU0BaaOP/7HxZoU:yU48q230au/9
                                                                                                                                                                                                                                                                  MD5:749C51599FBF82422791E0DF1C1E841C
                                                                                                                                                                                                                                                                  SHA1:BBA9A471E9300BCD4EBE3359D3F73B53067B781D
                                                                                                                                                                                                                                                                  SHA-256:C176F54367F9DE7272B24FD4173271FD00E26C2DBDBF944B42D7673A295A65E6
                                                                                                                                                                                                                                                                  SHA-512:F0A5059B326446A7BD8F4C5B1BA5858D1AFFDC48603F6CE36355DAEAAB4ED3D1E853359A2440C69C5DEE3D47E84F7BF38D7ADF8707C277CD056F6EBCA5942CC5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0.............z.... ... ....@.. .......................`............`.................................(...O.... ..P...............0(...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B................\.......H........D..4............................................................0..........(....9....(....~9...%-.&~8.....}...s....%.9...(...+~:...%-.&~8.....~...s....%.:...(...+~;...%-.&~8.........s....%.;...(...+~<...%-.&~8.........s....%.<...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0.......... ....(......i./.*...............&.........7...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):541
                                                                                                                                                                                                                                                                  Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                                                  MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                                                  SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                                                  SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                                                  SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhXWl:WBQ
                                                                                                                                                                                                                                                                  MD5:3D66AE5ED06891E8CE75A39A24070844
                                                                                                                                                                                                                                                                  SHA1:368064119835D4376727A14706C41384446183E8
                                                                                                                                                                                                                                                                  SHA-256:73DBA8242FDB4DE1393B367A239F730ACA6713E6658BE69F1D8992AD26479176
                                                                                                                                                                                                                                                                  SHA-512:C0B61F92BB61A7BF90225D1BA5A1BEA0FC077C2481A2149663B546296421855AB3147C3A1F5372EBC920731624BC8578595C18CA9D138691C720FDCB86D03F8A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=23.4

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):96816
                                                                                                                                                                                                                                                                  Entropy (8bit):6.180256382950937
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:gJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwht:gQUm2H5KTfOLgxFJjE50vksVUfPvC6
                                                                                                                                                                                                                                                                  MD5:EBBE06F612E1C8B87E3D4AACA15A29B5
                                                                                                                                                                                                                                                                  SHA1:D2B1317ED96EC0C92CCAF7E85F68EE24F289413F
                                                                                                                                                                                                                                                                  SHA-256:6CD16DCE27E724C2DAA098F131343FFDBBED0DA5B7EF62542B421A0817DE3A3E
                                                                                                                                                                                                                                                                  SHA-512:EB079EB409925516118DB4980BE734A645B7444BC51862CE7C95D52E0697B7B937BBACAF421FC5AF1A01D3262C1B19A3CF9376ADB0A5537DE0973E0B7DDE63DF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................Rm....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710192
                                                                                                                                                                                                                                                                  Entropy (8bit):5.960782910515381
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:PBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUJ:PBjk38WuBcAbwoA/BkjSHXP36RMG8
                                                                                                                                                                                                                                                                  MD5:3B395830460C2F72BC6CD12DD096DB0C
                                                                                                                                                                                                                                                                  SHA1:73063C63D2B562310AF76ABEF2A8B7E697389C94
                                                                                                                                                                                                                                                                  SHA-256:F7BB07B7C1718DBBCB692AA4296EBEFD7CCD1E55F27BE00703A3CE623AD38D5B
                                                                                                                                                                                                                                                                  SHA-512:DBCAEDDDC4D99586F1E04FDA97E1C706FBC6BE7BB766E0FE73ADDAD3116517010A3C1C92D7F54D71533B4C4459631966D8D0CF370ECF1F789F7D25FCB2F5A64E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):86
                                                                                                                                                                                                                                                                  Entropy (8bit):5.037891610327009
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:YhKSLJf2B4VXwAxUdyW+JNFHlT/j1tmz14:Y5fVnrHJ/jo4
                                                                                                                                                                                                                                                                  MD5:BFD1C8849298D0A7E3D4B33CC14BBC61
                                                                                                                                                                                                                                                                  SHA1:D2DFC664A536C92767530DAD2DB5D51E95F95902
                                                                                                                                                                                                                                                                  SHA-256:1CF4953560C3355A4C74358074196E5826456621F59DAE679AC0DDA8F401A2C3
                                                                                                                                                                                                                                                                  SHA-512:0344A102569DD7A10142080ED3774A2E9F63E53FE7415211A2D98C97BB97E61B8CCC43A2101CA745F3C33CF788A033CD0967148EEB58D11DA300C69054218A9C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:{"DownloadedAt":"2024-11-08T18:00:54.6572567-05:00","Hash":"aq6ZFTx4Y1PHUL+PXJd5sQ=="}

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):88
                                                                                                                                                                                                                                                                  Entropy (8bit):4.98831671061001
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:KPpLEE6LGKWqKRLXsmfWoVUgXAQJ:KPpZlKWqKRLX/qK
                                                                                                                                                                                                                                                                  MD5:8414F7682B600473598A3C826053DC0C
                                                                                                                                                                                                                                                                  SHA1:67E21BEB0087625F78CBD3B57F7E1FE55C885F27
                                                                                                                                                                                                                                                                  SHA-256:50A10B427990759915436B54C339C8E135A88F4EBFB98B01CF538BC7C6D90AD3
                                                                                                                                                                                                                                                                  SHA-512:CBE3553AC2D540EC2C2A8F9CF686C771AD641077745EA276DC10FB6F7C04819973761FBC29B9750E52356319698224ED54BBD65B6568177168AEAC92A1455EB1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..08/11/2024 07:55:03 Downloading installation to: C:\Windows\TEMP\SplashtopStreamer.exe

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):662057
                                                                                                                                                                                                                                                                  Entropy (8bit):7.999353949499206
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:12288:BBRK7zkUGwDTrw2rTX8HkklhCrdD2TpNwjaIj2nW7+7nZh2bdb:BBRyNJDw2rTX8Hk5rZ+IapZYV
                                                                                                                                                                                                                                                                  MD5:7895698867D1AD33934A8553B4806DC5
                                                                                                                                                                                                                                                                  SHA1:32704DF55DEAFF9BF0B4EE0B887541856578938B
                                                                                                                                                                                                                                                                  SHA-256:EF5854B5E800A534A08C083D4A3956DFC0A474FF540CAE9BF0A9077A213B2FF9
                                                                                                                                                                                                                                                                  SHA-512:20337093DDC5322C4B96C7BF26F1A0B966FAFDE70A96F7E9B5E9D36ACAC7D862BD2A50CAE9A63731B23904A9256C94CD3BB4E19768130580511EC4C408536A58
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-.....B.]Y.]Up........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....(........j........A.U...6X;..qH?(.8....1...FU..ux,....R.mn}..p.8.}m..N.o#.. <..Q.t..\...hP.9.....n,..X...%......S% ...x..+&Dq..f.Ao..o9.B .....?..-)X..v.,g<....5.|.....[.z<.&..D.P.(..1 i....{....G_.2.[m....Q...7..~#....<Aw..w..o...U.?...2....9.5.{e..H.$.,..T.C.H...siX..f....D.Pf!.......f.87e#......3...x.I.#...-..(.;....w]_.8#..\...a.%.K^z~...a}..~.g..C...@ek,i"^>s..c.'......Y.\.h....=.V....<.c..^B..Z....%..|'..3m..@}n..F..x....+.\.m.4..>.&....L....<.......y. ..X.K..@m~..>`1Y. ...Pv.Y.c.....w.....h.y.yL..|&.%}}Nr....E...u.4..`f...}..1...)...r..>).M.n.I.>..B........>.>...V...8.W..-.U..a..E........_#`y..X.....S..e..^.45...s....wp..$.r.D..+'....p..CK..B.=..q. .I.1r..u-9ZB.Oo.M.....3.._............:....K.....G./...I...d]p.....ht...k~...t..!.1.sf..?......k......A....n.3...\Z.f..l...X[........S....f....pG..p..I.... .(........E..F.u.......|..;.!.....w...%uL..i.V

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):51752
                                                                                                                                                                                                                                                                  Entropy (8bit):6.276903482604295
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:MsK/GcLpkOGiHuAQ+INjkfEQ3Tnz8AnTqLx3OEpYi60nN:M/zpqiOAbINwfEQDz8QIx3v76GN
                                                                                                                                                                                                                                                                  MD5:C0F02EAA3EB28659D8F1BCBA8DE48479
                                                                                                                                                                                                                                                                  SHA1:5BE3C69E3F46DAFF4967484A09EB8C4A1F4A7F0F
                                                                                                                                                                                                                                                                  SHA-256:6BEFB51A6639CAE7E25570F5259F7B1F2D9B9B6539177D64D2ED8BE50DDE6268
                                                                                                                                                                                                                                                                  SHA-512:47B536FA628608A58F6F382BBC99911EEFF706BECFAF4B1C5FF904CA768917F40C2E916BA5A31992DF0335BA5A57755F047F70AAFAAC414FC655DA0CD6F95E34
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g.........."...0.................. ........@.. ....................................`.................................D...O.......`...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................x.......H........B..dq...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):923
                                                                                                                                                                                                                                                                  Entropy (8bit):5.156246271896278
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:Jds4F7k1hOXrRT2/2E10PT2/+w0E1UrPT2/+7Trln:3ss757Rkqk+wik+7Nn
                                                                                                                                                                                                                                                                  MD5:D6FCBCF9C6ABC2F051772E7A7D5EDFD5
                                                                                                                                                                                                                                                                  SHA1:33D9962BCC42F021A7CEADF3D1C613B4643C66F6
                                                                                                                                                                                                                                                                  SHA-256:F523D40AE141AA8899B053D77117FCF50639708757AD4A050F3A11E8582A894A
                                                                                                                                                                                                                                                                  SHA-512:07DA40F1C43A1E35582ADE5DBBAEB47EC2922C42241BD4B950EFA76407597CF838338E27F3F5197E02F5209B27542207BEDBA9B85681955E3C326C95C1F5AC22
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />...</startup>...<runtime>....<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.....<dependentAssembly>......<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.....</dependentAssembly>....</assemblyBinding>...</runtime>..</configuration>

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhXSnn:WBe
                                                                                                                                                                                                                                                                  MD5:39DF0BC698F203A4FEF18A68A7B0EADC
                                                                                                                                                                                                                                                                  SHA1:0EA8D556AF659E0C8D6406B5B3E7E56EE6A10188
                                                                                                                                                                                                                                                                  SHA-256:F8DD3CEC3612C302B45EA9539002625E58E528A5CB68B4B0E6C3C2A378122C1A
                                                                                                                                                                                                                                                                  SHA-512:E6FF51381293BFD52EAE39B9868968A76D94BC993BAD5566C532A30E5EE5FE121C2F5B8EAED7ACEE59E3F6B8C1B3BEBB53B07B46F572F3498B1800B0DEAC128D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=27.6

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):112168
                                                                                                                                                                                                                                                                  Entropy (8bit):6.1656661918593905
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:f6sg/V5pWyNoWSh7Wyt1M2MAlb7UkN9/EVYFfbQgL/BR18xRUmHkEWpkGI76jC:fI8/Mmb+afbQgL/f182iGIJ
                                                                                                                                                                                                                                                                  MD5:6C7379E62BB26D3368555BDD5CD83E88
                                                                                                                                                                                                                                                                  SHA1:A406C91F1FC52525244B9E9EDC2A2188154A6109
                                                                                                                                                                                                                                                                  SHA-256:B87F055078EC819250F49ABAF196D42ECD994070BE5C14A9A157E783BCDA39B4
                                                                                                                                                                                                                                                                  SHA-512:E3FB4CE3826F39F8949EEFC147D7D07F2DB0265D421710A0058DEBBA9EFF21294563FDBE62020F42649E7E4A98CF63398C7F1D14E66712C5EB8EDA1D0C4CB5D6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g.........." ..0................. ........... ...................................`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H...........<!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):38952
                                                                                                                                                                                                                                                                  Entropy (8bit):6.310423924344811
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:LINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wg5t:MNsii6v/HS0+OJd5gpKm76tg5t
                                                                                                                                                                                                                                                                  MD5:75A85EBD35C909B1AE34FC3F37500E53
                                                                                                                                                                                                                                                                  SHA1:B7527367D4860841EA922589D66B928B27FE53CE
                                                                                                                                                                                                                                                                  SHA-256:D3C5160AB184F88A1CCF47846AAF8402200FCCD509B31A73B8AA19F529AB14FA
                                                                                                                                                                                                                                                                  SHA-512:96F4B49F8FA28A20CA893D69D7432F07D516C15C0FBCFE83891F832C15D1883518487410165206D481CDAB48C130257C073AD626E6F318F2DE31A441443CDACA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ..............................1.....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.853907358895156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:w1c5uLPirbW34/wUNyb8E9VF6IYijSJIVxRFTNUJyXo:w1cKmENUEpYi601U4Xo
                                                                                                                                                                                                                                                                  MD5:5F6C8C110454CFAC8B8EE908A953868F
                                                                                                                                                                                                                                                                  SHA1:C6A2B66C840C0F9324AA255AC8D6E440B2F2F3FF
                                                                                                                                                                                                                                                                  SHA-256:9E203ED95084AB3B3F3C199712E9C76DB4D9FB3AA5D6BF004ADA9FEE328B6AD5
                                                                                                                                                                                                                                                                  SHA-512:F682720C6BE19E2B1CDE3C4A03D7D1D7211A3789127F13C1C283F838B8045EAEC4B5C570DCB07ED054BAA5C23C839836D13D0DC8F00205B34862A185C581F537
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g.........."...0..............-... ...@....@.. ..............................9|....`..................................,..O....@..................((...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1017
                                                                                                                                                                                                                                                                  Entropy (8bit):5.00184675687532
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdArdEtPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3Ar+z7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                                                  MD5:8A743B2BAC31EB00D4BDA0EBC8DF160B
                                                                                                                                                                                                                                                                  SHA1:5564F6A8F02973D040E8409E21B2A18ECA2CA8EB
                                                                                                                                                                                                                                                                  SHA-256:31A69A6D9423CE1BCF98F5281DEB1B8F537D95609CDFA03AF9A41CBF00D1243A
                                                                                                                                                                                                                                                                  SHA-512:9F14C687EF076CEB4B903E2C5803DCB9401BDEADC00B0E090765E67B54E9BEEC733B087609D76C605C8485C7E446E8DB3A0D8AA3E17C969FC155F069070BB543
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):398888
                                                                                                                                                                                                                                                                  Entropy (8bit):6.134219330910627
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:YjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvl:Y+e55LgIkTmyAAfTnMLvl
                                                                                                                                                                                                                                                                  MD5:E8815AB9546D6E490D2846504034579F
                                                                                                                                                                                                                                                                  SHA1:0555312ED1C700ECBC37BFCDE1140FEEE906FA0A
                                                                                                                                                                                                                                                                  SHA-256:4A48F3331F1CA29F3CD57658716A39837FCE120999CEF8E44B71FB885DBA861F
                                                                                                                                                                                                                                                                  SHA-512:67DF21BA4AEA22ED63EA7CB1E9E670815E88262E324D340B2BE7DD5361F770B12064F56016F1CD41024F6846E84B3EC0D4C61A5EE71FDF11879A7E714B0169B3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......N....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710184
                                                                                                                                                                                                                                                                  Entropy (8bit):5.960700768144483
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:xBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUQ:xBjk38WuBcAbwoA/BkjSHXP36RMGh
                                                                                                                                                                                                                                                                  MD5:C1ED198D6A5A3B91803AE06CAD22C3F1
                                                                                                                                                                                                                                                                  SHA1:CC59677BE3ECFD80EDF5D1CF2EB90742092111A2
                                                                                                                                                                                                                                                                  SHA-256:D46156C73123F9E5F3008C58461EB19DE5935A21FD33366C4AF02682AB42C8F4
                                                                                                                                                                                                                                                                  SHA-512:26CDBA17B6546F8E9D43243EB708FCCA5DA8EB19AC164695DADB944F71CFFEEC908E9F269FE90F0163B332164D725CF0494AAB165677B588B188FFEB888D964B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18472
                                                                                                                                                                                                                                                                  Entropy (8bit):6.705325491847164
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:dqHstMuvMK2tFNyb8E9VF6IYijSJIVx8s6:dXMukKeBEpYi60y
                                                                                                                                                                                                                                                                  MD5:21A4630C5A4D88DAA5C57E45FFCA3A7A
                                                                                                                                                                                                                                                                  SHA1:CD8D4B45D46F10BE5490D9A14D78C2F1B65288C6
                                                                                                                                                                                                                                                                  SHA-256:4869FC8C272289D814DD591294C9189B4D937DA08EF899D47D79D8D74557977B
                                                                                                                                                                                                                                                                  SHA-512:5B8650D6121AF5074EC65B59EE2067AC013AAB3E888FB1777FF6533F9125C453E9CEC24843468DD6C4030807CA988F9FD0E338AC54BA391C53D2F484BC4310E1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g.........."...0..............4... ...@....@.. ...................................`.................................d4..O....@............... ..((...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):975
                                                                                                                                                                                                                                                                  Entropy (8bit):5.005145470654642
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdsHPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3st7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                                                  MD5:DB02B24A7803C99F651940FECBE6E283
                                                                                                                                                                                                                                                                  SHA1:34EF3032B61E369535658D72BCE1E9908888EA0A
                                                                                                                                                                                                                                                                  SHA-256:207C4D442FACD06379217DD915D85D926DD622E72F6DB5814753FD2E5F8D0048
                                                                                                                                                                                                                                                                  SHA-512:9C76B6E3DBB34E2729F5C0E49A2A195C87AE11916A4479676AD09EE2C182DD83F87E826BA39DDF410B99A82EF1053571AA7A1E97426D396794C6E25E066C3849
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22056
                                                                                                                                                                                                                                                                  Entropy (8bit):6.676761287031738
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Zy/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqgzXU:ZuhMaVmzDC6k0EpYi60gk
                                                                                                                                                                                                                                                                  MD5:66084E1A2EF0F7EE9C19238C7F6D6DFB
                                                                                                                                                                                                                                                                  SHA1:0DE978530731CDEF53D0302D7CA32A5C56E3856C
                                                                                                                                                                                                                                                                  SHA-256:A1078DD6A3A1AB3FD28EB1B5EC10BB126C14807F3DBDA81650F75AC79AEE7E46
                                                                                                                                                                                                                                                                  SHA-512:97A4A18878BF64C20869F4A1A60CBF2A12D57413FB197C15A547CE5B1BCCA31FE36D11A4F5B300F23179C8B153B76E3C73D311545C67E6694FECEA706BA6914E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................,....@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):64040
                                                                                                                                                                                                                                                                  Entropy (8bit):6.266538479286202
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:HYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zPk:HKC9niwOepJ6TJPeb6NIUFg76Kzs
                                                                                                                                                                                                                                                                  MD5:6D09B622635ED02D52600299F6102645
                                                                                                                                                                                                                                                                  SHA1:BFE508CD7D9F302E1A5C26184A46B752F64CCECC
                                                                                                                                                                                                                                                                  SHA-256:4E27A624A06023843D8369ABAC1E042845135AF278486FD86C3680928AECF66D
                                                                                                                                                                                                                                                                  SHA-512:6C4197E00E0C10ED1FF8E073A9D080C9C913A4CF2CB1B80F047B76F788059604F60F7D750A6EE8E66C65AB02BB847E4CBF737397B9E2C849A633674DAAF9AE96
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@......t.....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138280
                                                                                                                                                                                                                                                                  Entropy (8bit):6.178769713478036
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:CP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHF:Ch0qjC5RMOHO420kN1+
                                                                                                                                                                                                                                                                  MD5:825B1939391B03517732A72AA489B50B
                                                                                                                                                                                                                                                                  SHA1:B8B1E37E60C68E7C73D42A7C532E507DAE1B1D4C
                                                                                                                                                                                                                                                                  SHA-256:B1A7D040D2CFB5DF692BDE7D5C2CEEDE266D9A7B31804658FFBDAAA147E36C39
                                                                                                                                                                                                                                                                  SHA-512:74C71265D4AA0FE2B409DB33CE40F83D1208F225808AF780DDE72E02ABE1C9BF431630BB9CF2D46E097400DED78D6B9456B41643EE0C5B5C4C3649C5B30B0241
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......-....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.634307366985014
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:2TO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08V83Y:2Cn6xYEpYi60k8yI
                                                                                                                                                                                                                                                                  MD5:72823338F267AE2E3B0ED7AB100DE427
                                                                                                                                                                                                                                                                  SHA1:C03CC9B7F7B1C2895A8568A3F579F154BADE75B3
                                                                                                                                                                                                                                                                  SHA-256:C29D08E8169DA52E8027AC9755CE99D81B2882B8A1F55648BBED8DB2A85B2BBC
                                                                                                                                                                                                                                                                  SHA-512:784F69300FD79F62556D473BD37A21ECFB743B5D063CF49299B35101A8399FC2A6F208D3A656C261180DA2558AC5FC93E397131BA0F9C1A2AE3B410328684B52
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ...............................W....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3265339
                                                                                                                                                                                                                                                                  Entropy (8bit):7.9998753634262805
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:98304:wXFoIT/tvGX5NRtboDmkXHZFs3YTC8joGQ:wXFoCVvm3RkmYs34/or
                                                                                                                                                                                                                                                                  MD5:85E1898362165FC1315D18ABB73C1B37
                                                                                                                                                                                                                                                                  SHA1:289A48BA5EE27C0134F75E243C55A90D32C11A05
                                                                                                                                                                                                                                                                  SHA-256:D0594B261E16394244C64289DAC00367FDC853A1A8E542E0E814A57494C5228A
                                                                                                                                                                                                                                                                  SHA-512:49FDBEF67C2A85B5D319C26E6E55456C94D294B836C946B9966C8746FB33DE4EDE62B93BA91AD657DF4DB24FDB3EE1DE7395652AE1086C876B7D0B85000D594A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-.....BYfY.GYZ......../...AgentPackageTicketing/AgentPackageTicketing.exe....(........I........pSu.&.VR..9K..N.e...s.I..-.G.....#..t_k.#`.......+..Y{..~..W.}......W..{.ft..e;.-..4v.....`.n#...,.wWR#.^x..g0.~..1....v(....h..YS../!..D/.....8L.....l.....d.dsrMK.5.T:#.#....~....kF.G.."S...../?V#G.....;T.....X.D.1....R..UkV..C.6z...3"...Ki%.b3]W.5..."5^Z!.3.o.IA.S.....Hz.C......fTW*...F.....q..........i..Tn.JW...4)..7e.. ....^.O.4*/...=.Q...$.....a...{^_d.dr..&...C#.....!1........{.UP...<..z q6.[.NR.^H.r.{..........~g.Y.a.'..x{."G.+t.......f...J........U....!.(.e.$......jd...AB.........r?[..!s@.........=."cK..K!.L.........X*...h.U/........u.%.........'5..:.in'...>hk7....u..+.h.0E.0....~..fI...?...[.......`h....f....j.yQ.0....6<.....KM.M...~.~...o.v.`?...T..V.....t.B.. S...:.$.!w......V.~....x........./8.......U..o..4..l.....^.L.+...ya.|.y..*....V6l/a-........w........z...iU`&.Gu.8.......Y..M,.B.....=s.}P..%.Ug.0"E.....]..r.....P....Hh...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):33320
                                                                                                                                                                                                                                                                  Entropy (8bit):6.302751646709905
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:b2G6bukIMKWcoBYRYm2uNNKAWFkfoi75yVUDMMXpO6FREVugmRNyb8E9VF6IYij1:OLKFvbJdUExLreVugm1EpYi60b
                                                                                                                                                                                                                                                                  MD5:F531D3157E9FF57EEA92DB36C40E283E
                                                                                                                                                                                                                                                                  SHA1:D0E49925476AF438875FA9B1CCFB9077FA371ECC
                                                                                                                                                                                                                                                                  SHA-256:30AA4B3E85E20ADA6FE045C7E93FEE0D4642DCABD358A9987D7289C2C5582251
                                                                                                                                                                                                                                                                  SHA-512:27D247AB93EF313CE06FF5C1DECA4B0819B688839C46808A6BE709C205C81B93562181926A36A45A7DA9570BAEA3B3152B6673A3BCCE0B9326C7D3599A3D63C8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M+g.........."...0..N...........m... ........@.. ....................................`.................................4m..O.......4............Z..((...........k............................................... ............... ..H............text....M... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................hm......H.......p4...7...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..~.......~....r-..po%...(.....(&.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1537
                                                                                                                                                                                                                                                                  Entropy (8bit):5.0063120500114895
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FV0PH2/+w3VUrPH2/+789y:3sIk7O7RgdjdgFSagFsg+w3Sg+78w
                                                                                                                                                                                                                                                                  MD5:C3CA0AD8FE91D02044029A11A9480B1F
                                                                                                                                                                                                                                                                  SHA1:1FB4C1063460C48AC77D3D4702697A35727A5E51
                                                                                                                                                                                                                                                                  SHA-256:B2AED8BAB56D0FDBD1D6F1277A3257DFFBFD107BEB19320C0D1F4DC0E4AD3AEF
                                                                                                                                                                                                                                                                  SHA-512:50B18B6DD91CB691C8B77AB612A7172CE59881705A52F59880A29A0F81E910A61D3D4506AB53B1F945611AFE079B96A896F3F01442D3B68801B2748C68AE01F6
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhWC:Wr
                                                                                                                                                                                                                                                                  MD5:E4F836B4F3891BBADA14E96E3A14DA0B
                                                                                                                                                                                                                                                                  SHA1:7EE80364384F7B8D2E17F2A88CB525DE5EA35E0D
                                                                                                                                                                                                                                                                  SHA-256:F0F039EFB829B599B2848F130363C6C64ABF1715C3DBC909B3080E52BD88865C
                                                                                                                                                                                                                                                                  SHA-512:C7F31502846570D9BD3C3B570259ACABE9036A94A5D006F51A6C02E85CFA24B522D84C3BF9DFBFF091A2BD91B5F606537061E77917EFCB48ACB4E77C9A6DAA17
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=30.1

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):112168
                                                                                                                                                                                                                                                                  Entropy (8bit):6.180052759903044
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:QgssVbDRgWchiMWXRIe0ZMTR8U3XTknAxb2waOn3ybQgLbYpm8GRUdokEWUpj76F:QUpviy8UHTRxrybQgLbGm8FUpj3m
                                                                                                                                                                                                                                                                  MD5:97A69DDA383FBE34325726EBF08F71AB
                                                                                                                                                                                                                                                                  SHA1:5551E93C80FE2EF2C1D421CCB5F755C36D55A1B3
                                                                                                                                                                                                                                                                  SHA-256:D3C8B89DBAC2CB26FC0B1F5F7FAD9D549195A28D694455109CF618F5B38D33AF
                                                                                                                                                                                                                                                                  SHA-512:CA8147C0CFD338CDC99238B3B6AE6CC76B6EF1506F37E076B975ED8CA35C3CB262543ED8C88C9F4F72F1A6E8BDB41ECF8504F69C0B4D4F0C20FFE968C496A065
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.........." ..0................. ........... ...............................~....`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......0...."...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):145448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.203328996620754
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:QRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhj:E9XeDmzV2yzlhKLFU1lLVp1+2flYFnQG
                                                                                                                                                                                                                                                                  MD5:8DE7772DDF2A0DF4675EFD16E4735D4C
                                                                                                                                                                                                                                                                  SHA1:2F50EF70C9E13C2E6B4D75C9A975A05D7309FFE0
                                                                                                                                                                                                                                                                  SHA-256:3307A88999CBFAEC9D3380ED936AACDABB72B40731382D660023FAC12B97749A
                                                                                                                                                                                                                                                                  SHA-512:BBB520767A13C61C3BA34A9E1029FB734299A6FBC2D67F7C2BB265608665424CE2692EAB585DD9418C3BE7B89B93162D63243E2BDEC271A0A0B5444DA6E834B7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ....................................`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):38952
                                                                                                                                                                                                                                                                  Entropy (8bit):6.310977200199562
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:ZINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgi:eNsii6v/HS0+OJd5gpKm76tgi
                                                                                                                                                                                                                                                                  MD5:37A74170412F7E806A24B640FCAE7EC6
                                                                                                                                                                                                                                                                  SHA1:90448127248633B5CE6A0B890F33F09A523A0D5E
                                                                                                                                                                                                                                                                  SHA-256:BC4B76BEB03D4B09B48441CB0039FEC91F844196E73A258AE6225E524B2BFCB5
                                                                                                                                                                                                                                                                  SHA-512:41E87A409E54E63C853041E966BE2E4E625469EE942DD251F64271EA2D8657D22B0C5F5404E43DDDC8EA55AE765A8168228A80BE8B2C1677974DB708FC58653E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ..............................f.....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):29224
                                                                                                                                                                                                                                                                  Entropy (8bit):6.671409310333907
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:QmYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF606Nyb8E9VFJ:8SJh5tIYQzT5zyF60aEpYi60b
                                                                                                                                                                                                                                                                  MD5:707F4569B38DFA3C72FDC964F8472C92
                                                                                                                                                                                                                                                                  SHA1:F98DB57DF20F0ED9310DF948837E57EF8D60719E
                                                                                                                                                                                                                                                                  SHA-256:0B78ABE856BB9DD793B81CC0771A5188F4A9B86DDCA57671E3E77CA4B7FA0192
                                                                                                                                                                                                                                                                  SHA-512:B8C4C1F28CAEF3FAC4F7B8C9A01413A2E2B351668E0E0B93D8BAD0C43219D175865C493C33A232F0C662174EFBCFA812E07DFD3C10AC63D17018E5372C59D760
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ...............................k....@..................................`..S....................J..((........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):219176
                                                                                                                                                                                                                                                                  Entropy (8bit):6.062499353482465
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:gYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhlc:gYqqbe2CSod5dtM8ww7P4
                                                                                                                                                                                                                                                                  MD5:A1EE7DE3F698BF1EA25A8979D9E5152F
                                                                                                                                                                                                                                                                  SHA1:B8C58F0AFD24E322A032171B9A5AAA74114A50FD
                                                                                                                                                                                                                                                                  SHA-256:2A38E10454BFBD94AC61886A66AB46F498529924963EDDB95C9980DBD2EBC2C4
                                                                                                                                                                                                                                                                  SHA-512:77BFE85B53BC4B409D2C25629A19D29C1CD3F24DE212871B739FE97D8AF5D9B70E89E7DB6FF23FCC46E771F2431E7C97D3B17F08061ECB593F319E78501CA0A7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ....................................@.................................dF..W....`...............0..((........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):302120
                                                                                                                                                                                                                                                                  Entropy (8bit):7.175764387769887
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:LVi5mx115y505H0jIfJMSFk9X0jIfJMSFk9p:hswJMykwwJMykp
                                                                                                                                                                                                                                                                  MD5:FD82F0A09F58BDBAB946BB48E8CFFC1D
                                                                                                                                                                                                                                                                  SHA1:93A3F10F4BA6AA84B4A9C3F7D2CA94548EFD6B83
                                                                                                                                                                                                                                                                  SHA-256:DCF71123BE9AB08F1A71F9F0987D6CBEFD53DC66B4A6BB6C8260ABEC145233BE
                                                                                                                                                                                                                                                                  SHA-512:A21C2C461340B47C80F9984AFAEB0A8783F0655A742FF5F7A2D16CDAD59D25E45959FD2299C7DB98BE13986F16E95E6774F38489824719DD92058ECEFB6C8680
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J3..........." ..0..l............... ........... ....................................`.................................K...O....................t..((..............8............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............r..............@..B........................H.......$W..(u..........L...X...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.s>...s....%.o ...%.o!...(6...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..q...(*.....q.....(+......&...*.*..........//..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):432
                                                                                                                                                                                                                                                                  Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                                                  MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                                                  SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                                                  SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                                                  SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):215080
                                                                                                                                                                                                                                                                  Entropy (8bit):6.0303185411774365
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:Y1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sg:XIzm6pOIgvr75
                                                                                                                                                                                                                                                                  MD5:EB52EB05FFA0E3CD25485581883796BE
                                                                                                                                                                                                                                                                  SHA1:BF9A76B2DB32FF3DB9AB999C34B51056A05EF288
                                                                                                                                                                                                                                                                  SHA-256:BF040E1C2BD2216D0D661F5C1EA4DF1F3526EEECF4EBCCDBA56DD677BB813F17
                                                                                                                                                                                                                                                                  SHA-512:3FA920BDB568B7BA87A4B0D4DBA594A04FEDA6CA6F56298AB5C4AE66F76671DC8B2A1CB6B12758B93470087DEB443120E7C985C2FAD217FC91CDBE27E5BC78DD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................._....`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):398888
                                                                                                                                                                                                                                                                  Entropy (8bit):6.134117423700613
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:yjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvk:y+e55LgIkTmyAAfTnMLvk
                                                                                                                                                                                                                                                                  MD5:30A9C0DABB202EE229EC55D4130D3D31
                                                                                                                                                                                                                                                                  SHA1:9DFD72765AFE775560F0871B089380736DE565CA
                                                                                                                                                                                                                                                                  SHA-256:54CC4581F6D88F77BFE4DB8628D763E9D111836024476C58B43135E9B07B808E
                                                                                                                                                                                                                                                                  SHA-512:8B092220F4F825E21CC1F20F52563CB0A812D7EE885B3FF4B618343BF5FBE61A32A3587E6CF19293C2E76A99AA156BBF096BAFC585CA9FFDF56FBB56BEDFC72A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......@9....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710184
                                                                                                                                                                                                                                                                  Entropy (8bit):5.96062510170894
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:vBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUd:vBjk38WuBcAbwoA/BkjSHXP36RMGU
                                                                                                                                                                                                                                                                  MD5:9BAE200AC815334531D1EBD0B2328050
                                                                                                                                                                                                                                                                  SHA1:9757F595684A41065A7B326DF777D9F5E2384A7B
                                                                                                                                                                                                                                                                  SHA-256:5E67AE7EC5BB6A12B46C7C4028C76580C4A8BD583A4A6B63AE3A417CA9D669D3
                                                                                                                                                                                                                                                                  SHA-512:5959B41DC37199C03783022227D456C7DC2D81BFC8F6E6321DE4F968276CB83BC6D420C1665D0092D5B89C56F726F7C25DAD78B7D8DA7583F952A19294A3358D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):154664
                                                                                                                                                                                                                                                                  Entropy (8bit):5.990669081913453
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:q4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otHA3nXyy:q4wZywKn/U5xEwKIk0WI
                                                                                                                                                                                                                                                                  MD5:6BC1F35C566DB4ECD8BAF3743D2870E6
                                                                                                                                                                                                                                                                  SHA1:601715D1D9819B47C82B319FE2A4997BA309E253
                                                                                                                                                                                                                                                                  SHA-256:A06603E1BED06E77D6AF9F074B5B9C38FC1EF071642DEBB9CA7346E7A0DE43BA
                                                                                                                                                                                                                                                                  SHA-512:8FB6F9F2633FAD6E52EBD72508B6ABFB018D084FAE208E5DB78058A4C56440241606F37EAB30BBFDAB9FB12A47A5355B077884CEEEB45DEB6362F818358ADB24
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ..............................H.....@..................................%..O....`...............4..((...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22056
                                                                                                                                                                                                                                                                  Entropy (8bit):6.668355487331651
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:/rMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAwBr:/rMcXP64LEpYi605r
                                                                                                                                                                                                                                                                  MD5:605210914808A62CA857B3F8D108B90D
                                                                                                                                                                                                                                                                  SHA1:64E76CDB5B64664EF47670B9163BE8A9D50E548D
                                                                                                                                                                                                                                                                  SHA-256:C898601F4343913B0F1E9858A743AAA9EDB939C038A9C53533BACF8337FD9B71
                                                                                                                                                                                                                                                                  SHA-512:C0EEF0A097805E6F430E7FE593387CE8F03C6E5C5F921EDCA6B61378DF0A928EBA12945AB7ABC7A347BEA3F463B3E2CAF811B832EE832B30BA03B244D60D901E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................f-....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):420392
                                                                                                                                                                                                                                                                  Entropy (8bit):6.109606170124341
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:u5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFL:upjblhW1r
                                                                                                                                                                                                                                                                  MD5:C5F7EE9E0C29B6C6EEAEFB5CCA587583
                                                                                                                                                                                                                                                                  SHA1:899F92435FA37001A2A1C68F02FF2AA08398F074
                                                                                                                                                                                                                                                                  SHA-256:A3F70425EBD28D6C5D908375411BF1495480DF1A4E74FB4DB55890830B54070B
                                                                                                                                                                                                                                                                  SHA-512:017A9818F2E294F801179A8A06166539F83EE2C6F7170AD3E3594BC08DF38F95B8EDE0B767AEABB1D9208EA59200586573AC896B22EE6318987339019A7514CE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ....................................`..................................T..O....`..p............B..((..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):64040
                                                                                                                                                                                                                                                                  Entropy (8bit):6.267139970059605
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:AYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zg:AKC9niwOepJ6TJPeb6NIUFg76Kzg
                                                                                                                                                                                                                                                                  MD5:9EE2967BB286D1A63BD8E0087A8661BE
                                                                                                                                                                                                                                                                  SHA1:AF02F80E82D27D1EF55CD9902C2DD43A2E1567BF
                                                                                                                                                                                                                                                                  SHA-256:E13E0D62F93E846A783D5D719D09AAB06FA4F61A15B660460ED1D08061C25C6A
                                                                                                                                                                                                                                                                  SHA-512:AE58531F097A10F751FAE04432059C1105F24405AF06E93CB48635F2A102B73DB653B84E85A9824265E68338B03829ED0935AF34FB40265711FA02A081671A46
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@............`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):142376
                                                                                                                                                                                                                                                                  Entropy (8bit):6.160698125720867
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:GUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlq4:xBFd3/aFs2d
                                                                                                                                                                                                                                                                  MD5:82CF1FECB4D590BC03BEFF0336FB8CD0
                                                                                                                                                                                                                                                                  SHA1:CDE93175B010A14679BC4DAC27E3A9D36F2C7B8B
                                                                                                                                                                                                                                                                  SHA-256:45653A5E5940E9F8158235F3B5534C5DF47E9E9A5568AE60040A03B3451D03B1
                                                                                                                                                                                                                                                                  SHA-512:ED713069ECEE9DB6F94355DDA815B9FC7A689E76678476EB0C908388014BC88F4625FF310BB8B65B5F470B236830C5B3650EC5ABA56BE2EF5ACAC3873626F20E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......\....@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):110120
                                                                                                                                                                                                                                                                  Entropy (8bit):5.511508970225241
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:1POw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76J:1Ww0SUUKBM8aOUiiGw7qa9tK/Yb2
                                                                                                                                                                                                                                                                  MD5:00B3D67D45C71784C7B4D3BB30547E9C
                                                                                                                                                                                                                                                                  SHA1:60C1D92D6A31AE50C9F780C7B31C9F6B7D15F1C9
                                                                                                                                                                                                                                                                  SHA-256:2E21AE066913936DC41D3563F355F81327265FAB501B339023E48352E35BF132
                                                                                                                                                                                                                                                                  SHA-512:1389DC57A1C8D37EFC7377232383D540134FD18A67CEC3F702FD0BAE0EF90E179CD0F3F2F3592EAD227F139AB88DBC06971A63A5C8DB1CE164B04FE744C54BD2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................S.....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.669890024742661
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Sh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBEWr3m:Sy9gpEpYi60AXW
                                                                                                                                                                                                                                                                  MD5:18130E186CFE1DD3BFEAB111DD0FAE32
                                                                                                                                                                                                                                                                  SHA1:B519EA32B0B0F1B00B75FBB2AF5D99F91D24BC70
                                                                                                                                                                                                                                                                  SHA-256:3DF3784F25B3EE4FD24E7B0A0770C0280B09F7CD984E94F622F98E39466E654B
                                                                                                                                                                                                                                                                  SHA-512:38625510113ED4038C9216DE0B969EA18CEE201C89A2E861D46C149A36F609B16ABF4D89DF57DD783F118C5C7B93520C8D2BCADC961E351A62D88913CD5EF1D6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................7.....@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):19496
                                                                                                                                                                                                                                                                  Entropy (8bit):6.523111004922817
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:7yPa16oAL4D+wW9IWmDIW4IWYDa9Nyb8E9VF6IYijSJIVxFtfV:7Ws6oqDjADKeDa5EpYi60/V
                                                                                                                                                                                                                                                                  MD5:567881C8D62A69733878564CA833B403
                                                                                                                                                                                                                                                                  SHA1:41B4994EB6C5896A4244B417A490A58D462B75DC
                                                                                                                                                                                                                                                                  SHA-256:D1837A1C9BF26CD129F672FC7191239AECEA5936E87A5BE101BB0649C1392EAD
                                                                                                                                                                                                                                                                  SHA-512:063B0FBB266D0E4EAF52B4B4EE0C327F1CC2FA7963D7024F7905EB6E5206D42983FD875A816983C935B1BA9EF55113A524A36560BC38F5E403BD3FB94EFCAF45
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ..............................Q\....@..................................2..O....@...............$..((...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):41512
                                                                                                                                                                                                                                                                  Entropy (8bit):6.408844229157189
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:ZjfAw5tisU7Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3UpoztjBFtNyb8E9VF6IYijx:ZksU74GX7nwOa5VS2ozdBFJEpYi60BZ
                                                                                                                                                                                                                                                                  MD5:A5C8328575581E4D41D9B41619EC09CC
                                                                                                                                                                                                                                                                  SHA1:ECF10FE71F38457C2E6C1302150E33F205282318
                                                                                                                                                                                                                                                                  SHA-256:978A57BAA3D95D3EF26EF8397E92C3F8F3FDC3CDF24D34B67F3BDB5FAB834D05
                                                                                                                                                                                                                                                                  SHA-512:011C577B1DB257D52D20CEBC1847B7A036453C3CD38968BEED9E558E502C84DBF3592D2C70183A8D7BF6FD60FBD01555A6DADAD44741ABCDC94E5CB83151B067
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M+g.........."...0..n..........r.... ........@.. .............................. B....`................................. ...O....................z..((.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1547
                                                                                                                                                                                                                                                                  Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                                                  MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                                                  SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                                                  SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                                                  SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):79912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.0518541609970535
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:fK7G/lnhlforkV5/EmaScsU7cywzLFTw76L9:fthlQAV5/PaFsU7cyQFTwa9
                                                                                                                                                                                                                                                                  MD5:4280F0FBC4E40A71E2E03D18CE1BE1F5
                                                                                                                                                                                                                                                                  SHA1:80C396D199D31E9E5B8EC85C3F1B2BC206973BEA
                                                                                                                                                                                                                                                                  SHA-256:99CCAB5EA739DFD2B0ED4DA2832AC75756AE02FF04143C0B1941784AB4CF8BAD
                                                                                                                                                                                                                                                                  SHA-512:27B584B0FD10F681EE6D8372B4F32FD418593908FF27EC3F681FAE2C3DF3B8A3E3D18B6D40D3935E559280563F8D84E9D4725E73CA421EE9DC2FFC44ACD1546C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i............" ..0.............*$... ...@....... ...............................q....`..................................#..O....@..................((...`...... #..8............................................ ............... ..H............text...0.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......hY...............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.l...........io+.....(.........o,.........,...o'......*.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):953
                                                                                                                                                                                                                                                                  Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                                                  MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                                                  SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                                                  SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                                                  SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):351272
                                                                                                                                                                                                                                                                  Entropy (8bit):2.9077205572565528
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:lGO21tSb/jb5aEH8VAynnnnnnnnnnnnnnn8XZH:lR5X
                                                                                                                                                                                                                                                                  MD5:5A59A3D00878BC0F1F678AF81A0439DF
                                                                                                                                                                                                                                                                  SHA1:0FD59FB8A57A4965F5A28BB7C59E72A0A76761E2
                                                                                                                                                                                                                                                                  SHA-256:6FC476950C00E8ADC245F58ADF9EE1E2C17DD34F1AA004285148F85CE651BDA6
                                                                                                                                                                                                                                                                  SHA-512:0512DBA7A45310D40415023DB3BC081E17636B7E3DE06D06EBE841EB0877B302BE67354B825C8F2E50FEDA34458E807D307A58E65BB7DF811CC9A4D2A81F5A5C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M+g.........."...0......d........... ........@.. ....................................`.....................................O........a...........4..((........................................................... ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............2..............@..B........................H........*..h&..........(Q..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1786
                                                                                                                                                                                                                                                                  Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                                                  MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                                                  SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                                                  SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                                                  SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):59944
                                                                                                                                                                                                                                                                  Entropy (8bit):6.130879435815544
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:f6O442hHI1kIHLxnuFjBm+UuLcxVePk+CXVT+rB9ezGREpYi60cB:f6O4JuxnT+UuLMcBClyrvGGa76HB
                                                                                                                                                                                                                                                                  MD5:59864C477F3C1F03DEAD4ABC720F6E17
                                                                                                                                                                                                                                                                  SHA1:31187ED10389FB0758491719F1FD49A1DAA9961A
                                                                                                                                                                                                                                                                  SHA-256:F192BF7246AB25C5E6279CFBDA87EF7F187F43E15102F9FEDBCDD64F22A1914F
                                                                                                                                                                                                                                                                  SHA-512:621FB602D6CA323B224E726E8ECC294BEC2E57D2B8B693CA622A9A3D988EF8A97D6DFFC98C3C2D1F2A22E218BB7E54F409087C75D456B5B5DBC57298A964F82D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ............`.................................m...O.......................((..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X..0.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}E.....u....}D....{D...,........s....(....&+ms.......}G.....u....}F....{F...,........s....(....&+8s.........}I......u....}H.....{H...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1191
                                                                                                                                                                                                                                                                  Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                                                  MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                                                  SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                                                  SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                                                  SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):23080
                                                                                                                                                                                                                                                                  Entropy (8bit):6.496637771650592
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:4LOGTOwM15TRwLm6or29Nyb8E9VF6IYijSJIVxyyqT:4nMTR0Pa25EpYi60q
                                                                                                                                                                                                                                                                  MD5:BD64C182A6328A0447CEB7B95594CD03
                                                                                                                                                                                                                                                                  SHA1:7CC8D0CD30F18DB3F6DF653C09ED84E772E154CF
                                                                                                                                                                                                                                                                  SHA-256:409F42114C6E8C2CA2A0CBEB381BC5FECEE8F874100069062779EAC0E1F026B7
                                                                                                                                                                                                                                                                  SHA-512:BB02105BB595FF185D0DC46716717209C3A033534FB297B930919AE761D0F2288292E0730CAB41B903347BBEB72B3EE6D0A3B743F3EF12A208654F506409354A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ..............................8J....`..................................F..O....`..L............2..((...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1817640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.5513719499124194
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:x9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkPn:x9Nzm31PMon
                                                                                                                                                                                                                                                                  MD5:05340978B996457954B18B985C27B353
                                                                                                                                                                                                                                                                  SHA1:00C6DA1D707F3A892549023DD7E6A9E702ADA7B6
                                                                                                                                                                                                                                                                  SHA-256:B2C723A9EA911B88BBE1EF2F3B51DBB156E4F525DEA7294EDB24B3D05E31560C
                                                                                                                                                                                                                                                                  SHA-512:0D9F688708BADE4E6B0B282A3ECED8B9EC2EF9717D0B36DD8214B207C631C75BF902C9FB247AEF6E1496EC48CD63DA4E9D006634A7D1B58ACA6A6FC97010B0B4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ................................................................j.....`.................................................P...x................!......((...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1436200
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7813386810105865
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:Vs5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEs3:AlI+vIjE7mjOuKa8Riy+gvhaIn2+0U
                                                                                                                                                                                                                                                                  MD5:64495CDE32937D4E290475D65956A4C9
                                                                                                                                                                                                                                                                  SHA1:B51B42D7FB5185928069F22C70C1303037F11D3C
                                                                                                                                                                                                                                                                  SHA-256:AC66BC7D48BEDE595CD8D60395B622B6971A21809D7AE9828B3B32477E6049D9
                                                                                                                                                                                                                                                                  SHA-512:CD0C009C898F36D6574CF19F7B64321C8D312A6B62586DAE90B4CFBFB88B963A4BEB0218119225B2B270CCB28318F87E26880BB2A3FFE838A69AF57F6DB096BB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X............................................................@.........................P...t.......x....`..................((...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):583489
                                                                                                                                                                                                                                                                  Entropy (8bit):7.99944408666799
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:12288:CLLJGMlifhYeKrN8qSQDqPVK04BwQjtVcUf7DmZMilOugjC6w:GwfhYeKraZQDqPY0E/4Uf7owugjm
                                                                                                                                                                                                                                                                  MD5:9614D1DA18956DE06747C03068208D66
                                                                                                                                                                                                                                                                  SHA1:FEA2680DDB9E4CEEA8489A132DF9A1542FEBFE88
                                                                                                                                                                                                                                                                  SHA-256:DDE9E0CA3FD274902F1A4C22CFEC6870C6C4DBBCCAD17D2189477AB60F769DAB
                                                                                                                                                                                                                                                                  SHA-512:D8E46A5819E9DCED61471966646DE153BF3480933054C50190D50DE4900685265367B12C9147630F184CE8809786FC010BF6FCD1884035FB4C77CFDE660A8B9D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PK..-......q1Y............5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....0........d.......o.H..:|p^xA......v.g.J..r:.....@..Q..H..^"]....G..... |...o.<?%....#".....3_s....c..JN.j..Vg_.....$...".,=T.=..5.b.U-..5..7"..H.....9462.._.Mb.e....&.cJ.+!:.....7H]p..#..()6~..0...|8..\......~.D..M.R..Y-[.efI...O..3..\.D.O.V."..0....l.....~.zdP.Hh.r.^R.z5 .=b.....%.X....(..E..T].'bk..ir...V...|.M....=...<..e...5... ...V./.....,....{..-.xa..s.}.e.{........y.%.LY^..HnIp.;....+.Gy.. .Z..e2.bxOy.._...L..g.F.{.C.....9......T.^.I.........NK4.a..4...cf<..@.GI..q..L7.]..f.g[.......E|{x...1....E...8..!.u..g..^%....Y.5^..|...H.....&hQ..E..i(:.6.............)A...Q=..).l..bs#5......./..Q.3..8.-......f@WV.d]i".{d[..v.p.l+.WO.]L...x<....rz#.*i......!.-.F*.:\9.%.cI.Y...=..f.\....9?.v,..}<../<c...U..C._o....'. .;..$,.. .Y......z..m.........#t.<..i..s....u...D..}5O..5O......j..O.../.%8.p.5...@....M....[rG...L.o...J2..<rS...[i<....})}....[x.....v^..=.su....Oy@g....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):55344
                                                                                                                                                                                                                                                                  Entropy (8bit):5.801614737823664
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:R4DgbepEIgcvDiMd+R5B153ieGuftxw5dfiGoxkEpYinAMxCN4:Rr4EIgcxdQdGuftxw5dfiZd7Hxe4
                                                                                                                                                                                                                                                                  MD5:D11B2139D29E79D795054C3866898B7F
                                                                                                                                                                                                                                                                  SHA1:020581C77ED4BC01C3F3912F304A46C12CA443E6
                                                                                                                                                                                                                                                                  SHA-256:11CDB5EC172389F93F80D8EFF0B9E5D4A98CFEAB6F2C0E0BC301A6895A747566
                                                                                                                                                                                                                                                                  SHA-512:DE5DEF2EFCBA83A4B9301DD342391C306CF68D0BB64104839DFC329B343544FD40597A2B9867FD2A8739C63081D74157ACFC9B59C0CB4878B2F5155F582A6F09
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r..f.........."...0.................. ........@.. ....................... .......M....`.................................h...O.......x...............0(..........0................................................ ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H.......pR...n...........................................................0..Y........o.......+C......o......r...p.o....t)...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):535
                                                                                                                                                                                                                                                                  Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                                                  MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                                                  SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                                                  SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                                                  SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12
                                                                                                                                                                                                                                                                  Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:WhXSjn:WBa
                                                                                                                                                                                                                                                                  MD5:7E9C5492C1485A2AE94A108F6FFEEA95
                                                                                                                                                                                                                                                                  SHA1:F00A6A35F3D41AFF9ED2C028C26D918EEF06B715
                                                                                                                                                                                                                                                                  SHA-256:04CA73099B2058974220319A7CC3E156AE24AFA13B28F340E8D97B021D1BBC95
                                                                                                                                                                                                                                                                  SHA-512:191B4297645813DD163611547EC2708BD6678E535429FC4D771472BC185C887CAF24FAAA7F1DCF78577739E3D06387A756A11193C68918DDF47D21328CA1E4DC
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:version=27.2

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):96816
                                                                                                                                                                                                                                                                  Entropy (8bit):6.179944898759355
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:XJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwm:XQUm2H5KTfOLgxFJjE50vksVUfPvCz
                                                                                                                                                                                                                                                                  MD5:9A344D6A16A6FEF791701FC52FA722A2
                                                                                                                                                                                                                                                                  SHA1:7F1CEF75650CA626D79F7F15818851A9C297F65E
                                                                                                                                                                                                                                                                  SHA-256:80890B7E8F3CC557A87BB1F84C7C30CA9B08B3F8AA68184D99439305EF91388E
                                                                                                                                                                                                                                                                  SHA-512:93ED10309A2EA138FE31BE55F82627290DDA0F8B7AEA63A54D97BB6EF2985BCC0449FCCC288DEF154D9F3318FB4DA9CAC3FBB4727986997DD1CDD5C97541139E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):186416
                                                                                                                                                                                                                                                                  Entropy (8bit):5.934478472448458
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:6kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFes:0+c7b1W4R6joxfQ8p
                                                                                                                                                                                                                                                                  MD5:A68241D6E026F218B259FD2CE8F744C0
                                                                                                                                                                                                                                                                  SHA1:DEA3F011BBC728DB750A054CCF3C5FDFE583EB91
                                                                                                                                                                                                                                                                  SHA-256:B0F5B75176B338F03AF4BB287259F36167D86C7A6EF128FE021B7401854F2362
                                                                                                                                                                                                                                                                  SHA-512:1CBFA69C0F75ADAC4C61A84A803201E1897B2A24E50570C44048C6DDAB57A03A1DEBEE04671A8F1FE83745ECD8A91447A4E4E10611811A8B136B3B2016EAD119
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ...............................P....@.................................,...O.......................0(........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):331824
                                                                                                                                                                                                                                                                  Entropy (8bit):6.168966743027853
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:KBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTe:KDMUWITZznu85k8Wdn8KmCjIFi3VvC
                                                                                                                                                                                                                                                                  MD5:DE6B588BD13AFFC760EE32D105C77A21
                                                                                                                                                                                                                                                                  SHA1:F9D20F683938F0347F0C2782D0E05FCFA143CEE1
                                                                                                                                                                                                                                                                  SHA-256:07762DCF4082B9A14BEC37573058015F03D26B46B9A6B7B0C0E66402CBE256F1
                                                                                                                                                                                                                                                                  SHA-512:6D0947E89ED1BF942C6BB93309BDD45B83FD92A3B8D0C4E3265A581DB9318B88187BDE5A58CFB5EE3A7BFE48167D4438B85D9FF03283C73A97B1C6022FE7CBCE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@...........@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):710192
                                                                                                                                                                                                                                                                  Entropy (8bit):5.9607419702126485
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:cBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUZ:cBjk38WuBcAbwoA/BkjSHXP36RMGw
                                                                                                                                                                                                                                                                  MD5:C2EBB296A9B097C4BC36018341C2F514
                                                                                                                                                                                                                                                                  SHA1:55B79CCD4F93AC6EF3AE6E2AD858DE5F23516EC9
                                                                                                                                                                                                                                                                  SHA-256:3CFB2C5E1947565F0795FCF5C0587B8F021842D52E79A40F25070BCABCE48089
                                                                                                                                                                                                                                                                  SHA-512:BF95FA3B93A25E040D3521BF8436BBA505D09F659360C0606F259607083D9C4F1366683CFE0215D4F13CE875E753B12F1DE058A3D0CBB84C3948644D0E7BDEEB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ....../t....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):55856
                                                                                                                                                                                                                                                                  Entropy (8bit):6.2394409505734165
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:rREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpBEpYinAMxCWLa:rR8+5k15z0WBZEtgwJq7Hx3u
                                                                                                                                                                                                                                                                  MD5:89D62604A1CA22A2F8FFD987B543D38E
                                                                                                                                                                                                                                                                  SHA1:64D7D345821AA76971BB9EF71CE731CCD9BFAC32
                                                                                                                                                                                                                                                                  SHA-256:80D4A38A5C0F117AFC7FC74A3F2DA39259BDD980BBA85687FF2019C8262E171D
                                                                                                                                                                                                                                                                  SHA-512:1173C7AFE2719EF324342A6D3EA459319533843CFE8A04CDC63FCF3D8A2D6DC4BB537FC1A4DBA63F585EB11F3E16FB2F17C53BC64BC7318A52B44266A3A9A56E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... .......e....`.................................P...O.......H...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):602672
                                                                                                                                                                                                                                                                  Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                  MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                  SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                  SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                  SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):73264
                                                                                                                                                                                                                                                                  Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                  MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                  SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                  SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                  SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):251
                                                                                                                                                                                                                                                                  Entropy (8bit):5.221617289930374
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:Ajmw1qRkpKF71L/uhBXV+Ap131D4MrigDnhOoDX:gkf71L/ufXpp110ps3X
                                                                                                                                                                                                                                                                  MD5:2C45865A7FA4BD7CBBF4531D70A19BE9
                                                                                                                                                                                                                                                                  SHA1:51BB8911B3CCD934CD45F4500171B0F14A5255B5
                                                                                                                                                                                                                                                                  SHA-256:0132816507AE9ECD6CD06572B83657533C41F848361DF2035963BFE0B02EEED6
                                                                                                                                                                                                                                                                  SHA-512:D351291DD06FC308F87485AB226168189F62ED0F37948D6188613413A28013ED44D7B48262F32FFEA406992F3C3EDD59AF4983F7D072510525EFE714D8FF38CD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:/i /IntegratorLogin=shyam@telcoict.com.au /CompanyId=22 /IntegratorLoginUI= /CompanyIdUI= /FolderId=21 /AccountId=0013z00002eDbtlAAC /AgentId=fbcf2d79-fde9-446f-9db8-b915db64fdfb.08/11/2024 07:54:44 Trace Starting..08/11/2024 07:54:59 Trace Starting..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Algol 68 source, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):157873
                                                                                                                                                                                                                                                                  Entropy (8bit):4.753497932507659
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:ZHXt/BWDLm8arfT4h6+2j+S64ioX+g15titNI6cSM:gDLmtrfT4hj2ju0X9wGSM
                                                                                                                                                                                                                                                                  MD5:AB3D7C0401590BBDAF4B3C84592D24D6
                                                                                                                                                                                                                                                                  SHA1:756F86B49CA2035638F77BBEB60CFE6A827B553E
                                                                                                                                                                                                                                                                  SHA-256:4428A8B3F1A63312918FF5F8E1D5EE1F6EEBA9D73A336721338D494D2B6E5F6C
                                                                                                                                                                                                                                                                  SHA-512:24AAC8D02347EF3E226531CA15B71714CB53546C7AA1B4D961A72E097C3528AE2590B00ECBAA7E80815E99FAFB6919D234E957DFCD08467CD753B24C004B6124
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:<pre>Acknowledgments....This Splashtop software incorporates materials from third parties, the use of which is hereby acknowledged.....================================================================....AES....Copyright (c) 1998-2010, Brian Gladman, Worcester, UK. All rights reserved.....The redistribution and use of this software (with or without changes)..is allowed without the payment of fees or royalties provided that:.... source code distributions include the above copyright notice, this.. list of conditions and the following disclaimer;.... binary distributions include the above copyright notice, this list.. of conditions and the following disclaimer in their documentation.....This software is provided 'as is' with no explicit or implied warranties..in respect of its operation, including, but not limited to, correctness..and fitness for purpose.....================================================================....CELT....Copyright 2001-2009 Jean-Marc Valin, Timothy B. Terri

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):310280
                                                                                                                                                                                                                                                                  Entropy (8bit):6.406682858396138
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:B2ewUPD+fCEWepqJ1u45FC9xrIaPXiyVfl/7RohyyP16+Dfj8d3:NRPD+KLepIu4qnrIBy/7RoPfO
                                                                                                                                                                                                                                                                  MD5:FB1A6F0CB84ACB237FF0E42E5CF876A6
                                                                                                                                                                                                                                                                  SHA1:6CDEBFA5ABBF7BA48179DFF13A1343F3C4D9348F
                                                                                                                                                                                                                                                                  SHA-256:DA5E12D077875B4F93210B10689F28B6EF33480E3BD2362E80F11EDFF8C9966D
                                                                                                                                                                                                                                                                  SHA-512:2602908AB2FAF07C1957DAD00960F6432D08BDD7327DB96D1338C87B1E18CB025B381378BA4BC800F558D26D76922E5882481A99B17575D3D48208C289EE3B8D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........PC..C..C......H.............Q....R....I...........F..C../..W...B..W.[.B..C.3.B..W...B..RichC..........................PE..d.....0e.........."....$............H..........@.....................................u....`..................................................F..<.......H.......H'.......(..........@...p...............................@............................................text............................... ..`.rdata...@.......B..................@..@.data....+...`.......F..............@....pdata..H'.......(...Z..............@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):249864
                                                                                                                                                                                                                                                                  Entropy (8bit):6.627715385431378
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:gbNEPN9Db8oxccZd8lZOWb1yBGAOnpe6nbXcw:gc/8oxc5yBGVpJbXcw
                                                                                                                                                                                                                                                                  MD5:151AAE6C0F0E40AB4138AF953768AB37
                                                                                                                                                                                                                                                                  SHA1:18F55A0707EE7140776D7857D0AF56D471289960
                                                                                                                                                                                                                                                                  SHA-256:F253CE8A8C4CDC4FD7A93A04515B208D461FF6E4076F64431E7EC7E9E5E08923
                                                                                                                                                                                                                                                                  SHA-512:40FFF8741C8AFB0EF2E6F8F69755F8A2E1F6422943341BBE680EEEFE939731F39E59D1C608B7C23AA649C3F2D93E6104E6B420A755F551F555504E1028B91C68
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.B.>},.>},.>},.../.3},...)..},...(.(},...(./},.../.+},...).q},...-.;},.>}-.]},.*.%.?},.*..?},.>}..?},.*...?},.Rich>},.........................PE..L...+.0e...............$.....2....................@.......................................@................................. p..<.......H................(....... ...H..p........................... H..@...............h............................text............................... ..`.rdata..J...........................@..@.data...p............n..............@....rsrc...H...........................@..@.reloc... ......."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):40160
                                                                                                                                                                                                                                                                  Entropy (8bit):6.316240044981803
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3z+6yz3JqnYCblcp6wOmMQC4cT3AZ21w6LuOBjEwXxyvJ3GB1C2GCTaZum8e:3ByY12kwOm8s2diSXCIB1yC2HT
                                                                                                                                                                                                                                                                  MD5:1033D6EFB14B7C8308A261E7151A8FDD
                                                                                                                                                                                                                                                                  SHA1:C331C67E93DA33EAAAAA0A4033855F185A79DE99
                                                                                                                                                                                                                                                                  SHA-256:6A14EFEE1EAD8592B0E5199DB4E7256462F135D6DC10A803D98D03CFC4F1E678
                                                                                                                                                                                                                                                                  SHA-512:083C365FD00BDED1637CBA2DDCE2FC3D93A8C60122F01CCD675A13EFF4C7663EE0FCE1B3316755FC971B3A3E6D242E29236180508D03C803950E2159B374767B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........wU.............f.......f...............f.......f.......f.......f.......f.......f......Rich............................PE..d...7.#R.........."......`..........t..........................................................................................................(.......P....`..x...............4....B...............................................@...............................text....".......$.................. ..h.rdata.......@.......(..............@..H.data... ....P.......4..............@....pdata..x....`.......8..............@..HPAGE....f0...p...2...<.............. ..`INIT.................n.............. ....rsrc...P............x..............@..B.reloc...............~..............@..B........................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):224
                                                                                                                                                                                                                                                                  Entropy (8bit):4.68750285687923
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajs/dCiI4FDIIlfILQIIbdELV0Lr+FDIIGKhaL3C:kidCiRxt2QjdRCxeKcL3C
                                                                                                                                                                                                                                                                  MD5:EBC2A6216B737E813732ECA1BB1F2AF2
                                                                                                                                                                                                                                                                  SHA1:6E63AB58C2055A3F276C1CD36FA406E37C099099
                                                                                                                                                                                                                                                                  SHA-256:275C9771ED3AC2ABE0989A114804ADD0CCED09F8A1BFF1633C4F79929921713B
                                                                                                                                                                                                                                                                  SHA-512:248CD17E4836B429DF0923E8C04FD3F8ECAB7CC8BFF6761F06AAED420111FF5DBADCC974193701DEBF63655CD79E8E0D0B6C7599760B13ABA19B5C0E178BF7EC
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd.exe /u stgamepad.inf >> inst.log..utils\devcon.exe install stgamepad.inf root\stgamepad >> inst.log..utils\enum.exe -p 1000 >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):232
                                                                                                                                                                                                                                                                  Entropy (8bit):4.776744518403625
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajs/dRLPI4FDIIlBILQIIbdRL6V0Lr+FDIItGKhaL3C:kiddRxr2QjdHCxwKcL3C
                                                                                                                                                                                                                                                                  MD5:4AD78E888894B3F89711D75D526E2D9A
                                                                                                                                                                                                                                                                  SHA1:A01DD7B5F20052AB27B721127DAB01A34666D4D9
                                                                                                                                                                                                                                                                  SHA-256:8B82E0E205711B8A22939AB86BF955DB938D2A733F57E48404DD118B5DDB9AE5
                                                                                                                                                                                                                                                                  SHA-512:CD6C972070593A6FE09778BC043C84CABE61E96FC3EA1B529D993540678AE0E99A641BFFAB87B3AE954977F0C0A9C639185889421225C185615C4EC34A8699F3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd64.exe /u stgamepad.inf >> inst.log..utils\devcon64.exe install stgamepad.inf root\stgamepad >> inst.log..utils\enum64.exe -p 1000 >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8955
                                                                                                                                                                                                                                                                  Entropy (8bit):7.156854915296666
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:3F37o7MECwCNnYe+PjPGr9ZCApkT1rrZgjlerpLF+vc1rbrRnJ4aTT:3NEuwCNnYPL/p1P6jeL3JrRiaT
                                                                                                                                                                                                                                                                  MD5:214E5DB2F6D3FF72B6E4F3BACCD7ECB0
                                                                                                                                                                                                                                                                  SHA1:64CC6A8F3E79BFA0301924D4A18370CFDD8ED955
                                                                                                                                                                                                                                                                  SHA-256:C23C1C358705DCE49FD6D1BEB1B0482F74DFCE35FEE7AE4D0C79390385FD22F9
                                                                                                                                                                                                                                                                  SHA-512:E31E2455A7014937F3E9ECA05D192320CF6159CED333888C6612BE36453F72D76F1015FC1306D41F41CD5F4CB206028ECD99C0F28505D29B6E9E0F497D231D17
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0."...*.H........".0."....1.0...+......0.....+.....7.....{0..w0...+.....7........'PP.M.B.....v..130902014741Z0...+.....7.....0..e0....RA.6.6.8.6.5.4.3.B.1.2.3.6.6.1.8.8.6.3.A.1.F.A.6.3.F.A.2.B.1.4.F.A.8.A.E.5.4.F.A...1..k0>..+.....7...100....F.i.l.e........s.t.g.a.m.e.p.a.d...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........heC.#f..:..?..O..T.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RC.C.2.3.0.0.C.3.E.9.D.5.2.9.0.A.2.A.4.0.6.2.7.3.A.0.F.8.3.5.8.1.D.3.7.F.F.0.1.8...1..s0>..+.....7...100....F.i.l.e........s.t.g.a.m.e.p.a.d...s.y.s...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1598
                                                                                                                                                                                                                                                                  Entropy (8bit):5.348428467214068
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:BoJAo10StKRqv8rI3OB/7wBZBZhvC3R7YxGcSF+125dLH/kvGPGo:BoJbkEvReNErZZcQ125CvQR
                                                                                                                                                                                                                                                                  MD5:5AE5F4B07FABDB969DDA6425E54C4DDD
                                                                                                                                                                                                                                                                  SHA1:A6686543B1236618863A1FA63FA2B14FA8AE54FA
                                                                                                                                                                                                                                                                  SHA-256:489CFA94B8FAEA97E0CF73714A65890418247BF34023DC4FDEBB03EF233B12F9
                                                                                                                                                                                                                                                                  SHA-512:C8751CF986E7A2800924D9707FB40AA95F5EE2431E16D5EEDC583FEA1F5351C95BF3FD90AC0EBD81AFC7262FBFA6C452BF1CA1B908E7360515970F146D0D6E50
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[Version]..Signature="$CHICAGO$"..Class=System..ClassGuid={4D36E97D-E325-11CE-BFC1-08002BE10318}..Provider=%splashtop%..DriverVer=05/21/2013,1.0.0.0..CatalogFile=stgamepad.cat....[SourceDisksFiles]..stgamepad.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,\64bits....[DestinationDirs]..DefaultDestDir = 12....[Manufacturer]..%splashtop% = Vendor, NTx86, NTx86.6.1, NTAMD64, NTAMD64.6.1....[Vendor.NTx86]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTAMD64]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTx86.6.1]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTAMD64.6.1]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[StGamepad_Install.NT]..CopyFiles = StGamepad_Install.NT.Copy....[StGamepad_Install.NT.hw]..AddReg = StGamepad_Device_AddReg....[StGamepad_Install.NT.Copy]..stgamepad.sys....[StGamepad_Device_AddReg]....[StGamepad_Install.NT.Service

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):33504
                                                                                                                                                                                                                                                                  Entropy (8bit):6.4990196288743425
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Uwyk2eCK3PRiZ1bcvrlEeT0OEM859sKkgTvEakiX5vFmXhBcfoaM8l1l3nzWPDP8:UupCJeT5EgKkgTMa3VFMmAalaPzumy
                                                                                                                                                                                                                                                                  MD5:4C3233F0B9A5BC7B58B464C9E1E86D52
                                                                                                                                                                                                                                                                  SHA1:FCCE254ED5DF8DE6D21623A6E53FA2AEEE030365
                                                                                                                                                                                                                                                                  SHA-256:832328B8DD98D51A9CE29C3953E85AFB036964299B93B9FB929023F15C63AD9A
                                                                                                                                                                                                                                                                  SHA-512:884A22B0CE16B91B1A04D6B5E99678CC584484FF5BE3D92ADDB27F0E9D58BFF57A9716C843789F9BD59EC79A55EF342DFD2A0EF39C6E7776CD4FC0211EE8DFCF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........i...i...i.......i.....i...h...i.......i.....i.......i.......i.Rich..i.........................PE..L...5.#R.................N..................0.......................................;..........................................<.......P............f.............. 1...............................................0...............................text...(........................... ..h.rdata..V....0......."..............@..H.data...4....@.......*..............@...PAGE.....%...P...&...,.............. ..`INIT....8............R.............. ....rsrc...P............\..............@..B.reloc...............b..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\uninstall_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):154
                                                                                                                                                                                                                                                                  Entropy (8bit):4.715757968072225
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:jTDVBF+jVy9kCCWo7EIbd/KiIKTAxsHs2yo7EIl2YILzDoC:/AjsC3IIbdCiI4FDIIlfILQC
                                                                                                                                                                                                                                                                  MD5:5D33C035F7B22B463DBD01BC0D31C9E9
                                                                                                                                                                                                                                                                  SHA1:5345461EF02D330178F047FFBD40C5F4B142A416
                                                                                                                                                                                                                                                                  SHA-256:45C7D88A3D4643220137D23DBE0EB5CE45DFB6AD16EDC1D6EE4CA8FD1C41AF49
                                                                                                                                                                                                                                                                  SHA-512:88E339E01417D6EFAA8271E6F3A9D077711508A3EE4D0CF3A95E6607C0282D201633113EACB8A142189F54476AD7B501EAEEA5AC2D9297A06B1A7A55D73B8940
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\enum.exe -u 0 >> inst.log..utils\devcon.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd.exe /u stgamepad.inf >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\uninstall_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):160
                                                                                                                                                                                                                                                                  Entropy (8bit):4.807126999960993
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:jTDVBF+jVy9dJFtCWo7EIbdRLX/IKTAxsHs2yo7EIl3xILzDoC:/AjsZW3IIbdRLPI4FDIIlBILQC
                                                                                                                                                                                                                                                                  MD5:D0E7FCE8A8281FC10CB9548299254079
                                                                                                                                                                                                                                                                  SHA1:112A4EA65D2CC4A1C57EB6967AC058C8EDE341DE
                                                                                                                                                                                                                                                                  SHA-256:11F757D09B095A89D52A990149379618551D88E92E1C9BEEFED243A083487260
                                                                                                                                                                                                                                                                  SHA-512:8132F0DFE0071D3CA3CC5D4CD6ED2634E61314BF6BB84AF5B5F97261E3E26601F1C6AA5C8ABBDA596639CAF4C0E2AFC3A2DE46BB92C199894DD5CFC2DF519CFF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\enum64.exe -u 0 >> inst.log..utils\devcon64.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd64.exe /u stgamepad.inf >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10752
                                                                                                                                                                                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):77824
                                                                                                                                                                                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11776
                                                                                                                                                                                                                                                                  Entropy (8bit):5.289815206775557
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:Qexcism3zhYFH1u0BFhdzQV3TdfPq12pru6JEkb8oHA1Ib/meUmV:QeKduuf1+DEgprhh82Tirm
                                                                                                                                                                                                                                                                  MD5:5F1E3F3B071AB0D51AB45060D156AF17
                                                                                                                                                                                                                                                                  SHA1:2FFCC9CC689C7C3DA18DF015C4BCC880F185C800
                                                                                                                                                                                                                                                                  SHA-256:B628E895BFC38227DB258DB91959C6D55367877669944DA022A89469101D8BCF
                                                                                                                                                                                                                                                                  SHA-512:3EAAB54CD58350BADBE0F32B78BA7EA8EA50072AA159A3A36AD730116247D225C164CFCAFFE920C34D9287E55E68D933A92D4F7E7D3CEF9E8E3F185DAB629BC7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.9...W...W...W.......W.......W.......W......W...V.O.W.....].W.?{)...W.......W.......W.Rich..W.........PE..L...5.#R............................p........0....@..........................`......F.....@...... ..........................,%..P....@..8....................P..........................................@............................................text............................... ..`.data........0......................@....rsrc...8....@......."..............@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11776
                                                                                                                                                                                                                                                                  Entropy (8bit):4.886509604340361
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:reQH6MzhfmNHuhv9LIFJxGNIiTwnPXIXBY+CzASxvh1b7sAmIb/IeUmV:rezev9cGNIiTGOY9Dxvh1xUrm
                                                                                                                                                                                                                                                                  MD5:815848A1B7AA76DE38315A7C796165DE
                                                                                                                                                                                                                                                                  SHA1:131016320240F5760853BB0AE8ED34CE8865C4B5
                                                                                                                                                                                                                                                                  SHA-256:99FF169E6114BA53DDC6BFCDB08CF73CB1104E69EEDC2A13F39605A96CAA5367
                                                                                                                                                                                                                                                                  SHA-512:3A9453528FC5335AFF02717EE7271EBE253CF986FE71B7CE4BE4B060BE7EF625EA33877F98B2DEA54432A2F7625314A5B3DCF57518209E818EC03589257E69F6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Kf................U.......C.0.....D.......S.....y...........n...y.........I.....(.........T.......Q.....Rich............PE..d...7.#R..........".................H.........@..............................p......|.....@.......... ......................................`$..P....P..8....@...............`..........................................................X............................text............................... ..`.data........0......................@....pdata.......@.......$..............@..@.rsrc...8....P.......&..............@..@.reloc..h....`.......,..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1416
                                                                                                                                                                                                                                                                  Entropy (8bit):5.221234341229966
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:VrY6t5UbhKRvV2ktXrTsIeZvEMtXrGrJKhrlXgpAY1u5lSuWJmiDUNLk32pNaf1E:5Y6qhKT2mvsIeZvEuarJKhpXo1moJmiI
                                                                                                                                                                                                                                                                  MD5:BECB66962164A387453E351769E665A4
                                                                                                                                                                                                                                                                  SHA1:D5651F9CE02E1D48E85A33DCAFB906F3DC575365
                                                                                                                                                                                                                                                                  SHA-256:294AE63315DCFCBA4F8BB30BC4098E6BF39281244BC215FE9EB8EA3B778CEC48
                                                                                                                                                                                                                                                                  SHA-512:03523212E1827635EB2573ABE2B1A3D66BA529990917B739AF6B2C6727223D2E99E4A353B21F2871FFBCA44D22623409EA1451CF0A0ADBED9C0E8DBB6E55C6CF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x86\my_setup.dll....REM..REM If OSBase/KairOS driver is previously installed, stop the installation...REM..sc query ddmgr..IF %ERRORLEVEL% EQU 0 (.. echo OSBase iDisplay driver detected! Try uninstall OSbase/KairOS iDisplay software... goto exit..)....REM..REM If older driver (lci_proxykmd) is previously installed, stop the installation...REM..sc query lci_proxykmd..IF %ERRORLEVEL% EQU 0 (.. echo Older display driver detected! Uninstall it first.. %DEVCMD% do_uninstall_lci_proxykmd .. timeout /t 1 /nobreak.. sc.exe delete lci_proxykmd....:wait_for_delete.. sc query lci_proxykmd.. if %ERRORLEVEL% EQU 0 (.. timeout /t 1 /nobreak.. goto wait_for_delete.. )..... timeout /t 1 /nobreak.... del %

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1414
                                                                                                                                                                                                                                                                  Entropy (8bit):5.220204645552163
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:VrY6t5UbhKdvV2ktXrTsIeZvEMtXrGrJKhrlXgpAY1u5lSuWJmiDUNLkQ2pNaf1E:5Y6qhK32mvsIeZvEuarJKhpXo1moJmiX
                                                                                                                                                                                                                                                                  MD5:B80450985E33B188398EF5475FE3A4BA
                                                                                                                                                                                                                                                                  SHA1:6699FE7C174A9A585E3559A16877B5555687F6F0
                                                                                                                                                                                                                                                                  SHA-256:760BC44295820C5AF7E2D5077CE05EED8E23B3EF344D5C6C48422818DDE78D41
                                                                                                                                                                                                                                                                  SHA-512:BA29A71114A86E10ACE80F5B039DB68F4FE3BFD5592ECC6511D9AA0235E75ACFA188909EE0453593EBEFDB33DB46D1272C98A44350ABB24810C52FDEE817853F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x64\my_setup.dll....REM..REM If OSBase/KairOS driver is previously installed, stop the installation...REM..sc query ddmgr..IF %ERRORLEVEL% EQU 0 (.. echo OSBase iDisplay driver detected! Try uninstall OSbase/KairOS iDisplay software... goto exit..)....REM..REM If older driver (lci_proxykmd) is previously installed, stop the installation...REM..sc query lci_proxykmd..IF %ERRORLEVEL% EQU 0 (.. echo Older display driver detected! Uninstall it first.. %DEVCMD% do_uninstall_lci_proxykmd .. timeout /t 1 /nobreak.. sc.exe delete lci_proxykmd....:wait_for_delete.. sc query lci_proxykmd.. if %ERRORLEVEL% EQU 0 (.. timeout /t 1 /nobreak.. goto wait_for_delete.. )..... timeout /t 1 /nobreak.... del %

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\uninstall_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):805
                                                                                                                                                                                                                                                                  Entropy (8bit):5.339948574341861
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:V8pgfeV4BZAK/1AN6gizSnOf6DE6Z9wmhKRvVLymhMm0KuKDLGuKw61IfQHyoHHO:VSIBBY6t5UbhKRvV7e6LpIJHT5C
                                                                                                                                                                                                                                                                  MD5:704D1CC8E0B87710278CE3EFD1C17954
                                                                                                                                                                                                                                                                  SHA1:EDF2D7FED5D3D88A657732B37C72E4CDEE90D12D
                                                                                                                                                                                                                                                                  SHA-256:FAB1408C7DE4B76FA3AF7AD4C9F25DF2063C591CDFC46445999D31B4DB712208
                                                                                                                                                                                                                                                                  SHA-512:6061B9BB1A4D55FD916A44C8619356DC4ED40C284F91FC2114CD5974533F762F88B4E0C49A265E96AD1E122ACFBA947D02AA3B11E43115D247FA0868661BDC3B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....reg delete "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /v "VirtualDisplay" /f....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x86\my_setup.dll....echo removing LCI PROXY WDDM Device.......%DEVCMD% do_uninstall_lci_proxykmd..%DEVCMD% do_uninstall_lci_proxywddm....timeout /t 1 /nobreak..sc.exe delete lci_proxykmd..sc.exe delete lci_proxywddm....timeout /t 2 /nobreak..del %SystemRoot%\System32\lci_proxyumd.dll..del %SystemRoot%\System32\drivers\lci_proxykmd.sys..del %SystemRoot%\System32\drivers\lci_proxywddm.sys..del %SystemRoot%\System32\drivers\UMDF\lci_iddcx.dll....:exit..ENDLOCAL

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\uninstall_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):817
                                                                                                                                                                                                                                                                  Entropy (8bit):5.35613829912293
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:V8pgMyeV4BZAK/1AN6gizSnOf6DE6Z9wmhKdWiVLymhMm0KuKDLGuKw61IfQHyoO:VS3sBBY6t5UbhKdvV7e6LpIJHT5C
                                                                                                                                                                                                                                                                  MD5:319DCF0B017DAFA51C33A7489D123F91
                                                                                                                                                                                                                                                                  SHA1:60F8E32A2E7E05F2384D8B66E51F8FF1DE70AC10
                                                                                                                                                                                                                                                                  SHA-256:44A271D1DD10FFC85815DF277E708BE462CC5AFABC43BD0D7A9505E35A70E488
                                                                                                                                                                                                                                                                  SHA-512:EE6403E7069C1185F6F34A02DA2DE1FEC2F859E89523B769CF9EFDCAA2CD9E5AFA501ADC38169A86D86DA1570C789116A29C2485F87201CFD2A770EC447A55C3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....reg delete "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /v "VirtualDisplay" /f....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x64\my_setup.dll....echo removing LCI PROXY WDDM Device.......%DEVCMD% do_uninstall_lci_proxykmd..%DEVCMD% do_uninstall_lci_proxywddm....timeout /t 1 /nobreak..sc.exe delete lci_proxykmd..sc.exe delete lci_proxywddm....timeout /t 2 /nobreak..del %SystemRoot%\System32\lci_proxyumd.dll..del %SystemRoot%\System32\drivers\lci_proxykmd.sys..del %SystemRoot%\System32\drivers\lci_proxywddm.sys..del %SystemRoot%\System32\drivers\UMDF\lci_iddcx.dll....:exit..ENDLOCAL

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):85216
                                                                                                                                                                                                                                                                  Entropy (8bit):5.323561566613011
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:34rhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkApiKB:K+KY04RMmSCYmBiF4O7WTgKB
                                                                                                                                                                                                                                                                  MD5:CD483270630CCABBD1902C6B21FBE9D3
                                                                                                                                                                                                                                                                  SHA1:B33C3139DD83F108591383449D4F9136189D8F97
                                                                                                                                                                                                                                                                  SHA-256:49D6B913A4095A3E7B14554C91942BD5CDDDF9DCFDB076B31921592AFF1BC135
                                                                                                                                                                                                                                                                  SHA-512:DC92ED176DBB7CC27BE1FFF90F875B2582869465156BD70F363902524C716822FB9657AA944A6F02CB1E77271F3D24F8667F4A678F5BB5B5846AB18E455A731F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P......F.....@...... ..........................lm..........p............0.......@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):89312
                                                                                                                                                                                                                                                                  Entropy (8bit):5.29323585141242
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:UP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7WsK6:UePOYe4bu1epDh8RWsK6
                                                                                                                                                                                                                                                                  MD5:07361279885BC0B334DDF5754CDB12FE
                                                                                                                                                                                                                                                                  SHA1:63A7320CD6992E2509EB1D82D550B1AA5FEA6A47
                                                                                                                                                                                                                                                                  SHA-256:96411A783BAA574421659E73B11F111A0EEB3D9B105CA55E29FE6C0B820646F7
                                                                                                                                                                                                                                                                  SHA-512:D07F5DFFEAD4470CAA935F6CD250DF9CA77A2D28C0B84112D83CE9ED7AC7A01CB012773FB290612E4DE45776BB919C395533AD3AD5497A3469BFE5B43FB5D1E8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......Mz....@.......... ......................................X}..........p.......T....@.......`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10957
                                                                                                                                                                                                                                                                  Entropy (8bit):7.22853921730831
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:0gNqq6a1DUuvE7EwWZhYC/nnbXfH098uXqnajH/svHa:0gEy9Zh3/njXuXlTsPa
                                                                                                                                                                                                                                                                  MD5:62458E58313475C9A3642A392363E359
                                                                                                                                                                                                                                                                  SHA1:E63A3866F20E8C057933BA75D940E5FD2BF62BC6
                                                                                                                                                                                                                                                                  SHA-256:85620D87874F27D1AAF1743C0CA47E210C51D9AFD0C9381FC0CD8ACCA3854562
                                                                                                                                                                                                                                                                  SHA-512:49FB8CA58AECF97A6AB6B97DE7D367ACCB7C5BE76FBCD324AF4CE75EFE96642E8C488F273C0363250F7A5BCEA7F7055242D28FD4B1F130B68A1A5D9A078E7FAD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.*...*.H........*.0.*....1.0...`.H.e......0..=..+.....7......0..*0...+.....7......?~..S.N.j....J...181204081131Z0...+.....7.....0...0......e.Q.82....jG.8....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...i.n.f...0.... _...U...woq..2..:.V.kx........1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... _...U...woq..2..:.V.kx........0.... `...m..d..E.f|.R.o../.ziR&7.._..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... `...m..d..E.f|.R.o../.ziR&7.._..0....d}...))...3e...u...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4514
                                                                                                                                                                                                                                                                  Entropy (8bit):3.7887986776100973
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:9G2XN/WAXHQ+C2C4kqWDZXpbdl5Vjnijla4UAiI6fOgTiYqG585wg3Jp:9L5EDNRniWI6fyw5I
                                                                                                                                                                                                                                                                  MD5:1CEC22CA85E1B5A8615774FCA59A420B
                                                                                                                                                                                                                                                                  SHA1:049A651751EF38321A1088AF6A47C4380F9293FC
                                                                                                                                                                                                                                                                  SHA-256:60A018F46D17B7640FC34587667CD852A16FA8E82F957A69522637F22E5FE5CF
                                                                                                                                                                                                                                                                  SHA-512:0F24FE3914AEF080A0D109DF6CFAC548A880947FB85E7490F0D8FA174A606730B29DC8D2AE10525DBA4D1CA05AC9B190E4704629B86AC96867188DF4CA3168BB
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .l.c.i._.i.d.d.c.x...i.n.f.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .L.C.I. .I.D.D.C.X. .D.r.i.v.e.r.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.L.C.I.%.....C.a.t.a.l.o.g.F.i.l.e.=.l.c.i._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.2./.0.4./.2.0.1.8.,.1...0...2.0.1.8...1.2.0.4.........[.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r.s.\.u.m.d.f.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_proxywddm.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12585
                                                                                                                                                                                                                                                                  Entropy (8bit):7.124479508046628
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:M9yLPtUtkB7uIqhmbgE7EwWZhYCyZR/HsgKqnajVhY2c8evGd:gZO49Zh3e1MgKlxW2c8eed
                                                                                                                                                                                                                                                                  MD5:8E16D54F986DBE98812FD5EC04D434E8
                                                                                                                                                                                                                                                                  SHA1:8BF49FA8E12F801559CC2869365F0B184D7F93FE
                                                                                                                                                                                                                                                                  SHA-256:7C772FB24326E90D6E9C60A08495F32F7D5DEF1C52037D78CBD0436AD70549CD
                                                                                                                                                                                                                                                                  SHA-512:E1DA797044663AD6362641189FA78116CC4B8E611F9D33C89D6C562F981D5913920ACB12A4F7EF6C1871490563470E583910045378BDA5C7A13DB25F987E9029
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.1%..*.H........1.0.1....1.0...`.H.e......0.....+.....7......0...0...+.....7.....tW...d#O...L<":4..181204083207Z0...+.....7.....0...0....!,..8.'T......\.b.\s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$l.c.i._.p.r.o.x.y.w.d.d.m...s.y.s...0....;~.Y&h.L..@.ds. .A..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0.... \...s .p.mI^1:.M5KEO4..?l......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... \...s .p.mI^1:.M5KEO4..?l......0.... \...s .p.mI^1:.M5KEO4..?l......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0H..+.....7...1:08...F.i.l.e.......&l.c.i._.p.r.o.x.y.u.m.d.3.2...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e.....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_proxywddm.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2715
                                                                                                                                                                                                                                                                  Entropy (8bit):5.41680725095282
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:qnchtOKbzLbS10bzPbSvb/mwwophwwoJOxWqrz61/zA9cjiJIjgW5FH1519HS4Bc:Pkua1YuSnEhn/A7ic4d4y
                                                                                                                                                                                                                                                                  MD5:0315A579F5AFE989154CB7C6A6376B05
                                                                                                                                                                                                                                                                  SHA1:E352FF670358CF71E0194918DFE47981E9CCBB88
                                                                                                                                                                                                                                                                  SHA-256:D10FA136D6AE9A15216202E4DD9F787B3A148213569E438DA3BF82B618D8001D
                                                                                                                                                                                                                                                                  SHA-512:C7CE8278BC5EE8F8B4738EF8BB2C0A96398B40DC65EEA1C28688E772AE0F873624311146F4F4EC8971C91DF57983D2D8CDBEC1FE98EAA7F9D15A2C159D80E0AF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:;..;..;Module Name:..;..; lci_proxywddm.inf..;..;Abstract:..; LuminonCore Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%LCI%..DriverVer=12/04/2018,1.0.2018.1204..CatalogFile=lci_proxywddm.cat....[DestinationDirs]..DefaultDestDir = 12..lci_proxywddm.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxywddm.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64]..1=%DiskId1%, lci_proxywddm.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1......;*****************************************

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):53752
                                                                                                                                                                                                                                                                  Entropy (8bit):6.555505359489877
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:q4+LP4B5MAHFQq4OSGtGkVPKLIy0uwc0yeuUjsVbGVjp3haxZ3vOoKn:q4+LS5XYOSk1Kky0uww6s5mN3haxZI
                                                                                                                                                                                                                                                                  MD5:01E8BC64139D6B74467330B11331858D
                                                                                                                                                                                                                                                                  SHA1:B6421A1D92A791B4D4548AB84F7140F4FC4EB829
                                                                                                                                                                                                                                                                  SHA-256:148359A84C637D05C20A58F5038D8B2C5390F99A5A229BE8ECCBB5F85E969438
                                                                                                                                                                                                                                                                  SHA-512:4099E8038D65D95D3F00FD32EBA012F55AE16D0DA3828E5D689EF32E20352FDFCC278CD6F78536DC7F28FB97D07185E654FE6EEE610822EA8D9E9D5AF696DFF5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........N.9./.j./.j./.j.q.k./.j.q.k./.j.q.k./.j.r.k./.j.WQj./.j.r.k./.j./.j./.j'.7j./.j'.3j./.j'.0j./.j.r.k./.j.q.k./.j.q.k./.j.q.k./.j.q=j./.j.q.k./.jRich./.j........................PE..d....%.\.........." .....X...@......@T....................................................`.........................................P...P................................?.......... ...8...........................`................p...............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...0...........................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):184016
                                                                                                                                                                                                                                                                  Entropy (8bit):6.2322376663017
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:uSNRRE5JX6GkYj9i/hXJTqHDh3ibNrg4WhC8MFMbgGYgITUP4uvo4B:uS6Pb5KnT2dSNsC+gGx62v/
                                                                                                                                                                                                                                                                  MD5:4DC11547A5FC28CA8F6965FA21573481
                                                                                                                                                                                                                                                                  SHA1:D531B0D8D2F8D49D81A4C17FBAF3BC294845362C
                                                                                                                                                                                                                                                                  SHA-256:E9DB5CD21C8D709A47FC0CFB2C6CA3BB76A3ED8218BED5DC37948B3F9C7BD99D
                                                                                                                                                                                                                                                                  SHA-512:BD0F0A3BBC598480A9B678AA1B35728B2380BF57B195B0249936D0EAAA014F219031A563F486871099BF1C78CCC758F6B25B97CFC5296A73FC60B6CAFF9877F6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Vj..7.R.7.R.7.R.j.S.7.R.j.S.7.R.i.S.7.R.i.S.7.R.i.S.7.R.j.S.7.R.7.R.7.R.j.S.7.RMi.S.7.RMi.S.7.RMi.S.7.RHi.R.7.RMi.S.7.RRich.7.R........PE..d....%.\.........." .....r...*............................................................`.........................................`M.......M..<................(.......@...........:..8...........................@:..................X............................text...`q.......r.................. ..`.rdata...............v..............@..@.data........`.......>..............@....pdata...(.......*...J..............@..@.gfids...............t..............@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.622950914796068
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:Pi+6wKkplcu1L3/xFxqFYOA555ZRlremv59jYqN:6+9cu1oF/AnqqN
                                                                                                                                                                                                                                                                  MD5:67AE7B2C36C9C70086B9D41B4515B0A8
                                                                                                                                                                                                                                                                  SHA1:BA735D6A338C8FDFA61C98F328B97BF3E8E48B8B
                                                                                                                                                                                                                                                                  SHA-256:79876F242B79269FE0FE3516F2BDB0A1922C86D820CE1DD98500B385511DAC69
                                                                                                                                                                                                                                                                  SHA-512:4D8320440F3472EE0E9BD489DA749A738370970DE07B0920B535642723C92DE848F4B3D7F898689C817145CE7B08F65128ABE91D816827AEB7E5E193D7027078
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0.......4....@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):122576
                                                                                                                                                                                                                                                                  Entropy (8bit):6.535740565012407
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:dfSVevFp3FKtVy8ka9N9UOUNFZWEw+1M4hyFi:BSYNpkUOUrgxeMlo
                                                                                                                                                                                                                                                                  MD5:B9B0E9B4D93B18B99ECE31A819D71D00
                                                                                                                                                                                                                                                                  SHA1:2BE1AD570F3CCB2E6F2E2B16D1E0002CA4EC8D9E
                                                                                                                                                                                                                                                                  SHA-256:0F1C64C0FA08FE45BEAC15DC675D3B956525B8F198E92E0CCAC21D2A70CE42CF
                                                                                                                                                                                                                                                                  SHA-512:465E389806F3B87A544AB8B0B7B49864FEEBA2EEEF4FB51628D40175573ED1BA00B26D6A2ABEBC74C31369194206ED31D32C68471DDDCF817FDD2D26E3DA7A53
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C^./.?.|.?.|.?.|jb.}.?.|.?.|d?.|jb.}.?.|jb.}.?.|jb.}.?.|.a.}x?.|.a7|.?.|.a.}.?.|Rich.?.|........PE..d....%.\.........."......N...N......,..........@................................................................................................(............@...........@......L.......8............................................................................text............................... ..h.rdata..l,..........................@..H.data........0......................@....pdata.......@......."..............@..H.gfids.......P.......2..............@..HPAGE.....R...`...T...4.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc..L...........................@..B........................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):23528
                                                                                                                                                                                                                                                                  Entropy (8bit):6.370136009210867
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:6kV9C2/s2Abnkr+YcSIVO67k5hVAi59RKzOqUIUz8JN77hhM/l:vP0bE+YHIO67kLZVj83ha/l
                                                                                                                                                                                                                                                                  MD5:D53AD812F1146CDDEA6A89806CC2439A
                                                                                                                                                                                                                                                                  SHA1:5102973DF29B7E70AD8845D3B5FA36DBEF294D56
                                                                                                                                                                                                                                                                  SHA-256:009DFAD5DEA03EA0C0B963EEA9CDCDB78668C8B35C19E2B92311D8703F00D6D2
                                                                                                                                                                                                                                                                  SHA-512:38C2BFF7125F5BFD51A5D4D49D3C68BBCF9065057686AF8CAF7C3025BAE27CDFF4928BFB37C26A6ABAA750C699B99619E874CDD5EEF79F0E4010BB9ACCE56085
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..D.|...|...|..v...~|...|..B|..v...r|..v...t|..v...~|..v...~|..v...~|..Rich.|..........PE..d....%.\.........." .....6...........1...............................................Q....@.........................................pC.......;...............`.......@.......p..0... ................................................................................text....4.......6.................. ..`.data...@....P.......:..............@....pdata.......`.......<..............@..@.reloc..Z....p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):48640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8164297445194135
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:xbWmecDs6zvVt94VbJqvhkqskgSjySwigs2K5m6Vj83h57zZ3ao:xbM6JX0Jq5kNGUsn5maI3h57zZ
                                                                                                                                                                                                                                                                  MD5:6A0CCBFF305B23A4BAE471025EC28D52
                                                                                                                                                                                                                                                                  SHA1:02519EC7FCC88969621B6DC7F1294DA4EA6EA611
                                                                                                                                                                                                                                                                  SHA-256:6659E90D80A2FA0CF9F6CE40E511D8763664E78820F27081935AC1BFD4723A19
                                                                                                                                                                                                                                                                  SHA-512:4D357E3E9B19E2C18D1D3A1E6916C542243D6FF24D783A526B9E1C1605C328CD079A77AEE38DFF19BEC66E584CFDB4DF910CF98DF668D1EB2E825E2D36F816F2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................................................A................x)'....x) ..........[......[......[......^.-....[......Rich...................PE..L....%.\...........!.....N...2.......E.......`......................................}.....@..........................p..T....q.......................~...@..........0l..8...........................hl...............`..H............................text...;L.......N.................. ..`.rdata..\....`.......R..............@..@.data................n..............@....gfids...............p..............@..@.rsrc................r..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138984
                                                                                                                                                                                                                                                                  Entropy (8bit):6.623789818078503
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:0i+6wKkplcu1L3/xFxqFYOA555ZRlremv59jY3v:7+9cu1oF/Anq3v
                                                                                                                                                                                                                                                                  MD5:4276EDDE541ED3F488FA26778BDBB0D9
                                                                                                                                                                                                                                                                  SHA1:16E06CA60A9F8BCA515D193DFD28B120446BC178
                                                                                                                                                                                                                                                                  SHA-256:617F731B8F55F1AC23E47FE3C7CFD1110F198A5A9EB207FC485F739808446808
                                                                                                                                                                                                                                                                  SHA-512:280D6C3A85B26B4EE57534D33F035063B1DD56BA3671B48700833E4A61BEF1805C86316888AA5D8645603CA655F4172311B20C98533058823734C276A3CEA66B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0.......|....@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):138960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.623166316895491
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:3i+6wKkplcu1L3/xFxqFYOA555ZRlremv59jYWB:S+9cu1oF/AnqWB
                                                                                                                                                                                                                                                                  MD5:7CC448724952FA3B42A7B16DCBD4B50B
                                                                                                                                                                                                                                                                  SHA1:65CC211E57AE073EA89B188B66D3D473B403DEF5
                                                                                                                                                                                                                                                                  SHA-256:D90F351153CA9A51ECC24575B6A586A9A01AF24BD84F552F8305201260EE486A
                                                                                                                                                                                                                                                                  SHA-512:1C8F6034B4BA71C5D4508263DEDB00098C583F7EA4F39AE281E680C8DDA3583A0FE7FD00DD601E652CA0D301D29800AD13FC102038D4A836F99D44E331D3B2FD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0............@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):95464
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7987777090492445
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:nbZYULZ73iO/kwji3FWx+FJ4gwgDNSV2U5ANaudsJvdjsCIrqhZxu3hUlZNO:nHL53D/djPxaJ4gGQU5ANaudsjg9+hZk
                                                                                                                                                                                                                                                                  MD5:21E18A96C9A2E6F0838DA7BBD272CE21
                                                                                                                                                                                                                                                                  SHA1:C940F5069CE95083865D2D985682D51296B81257
                                                                                                                                                                                                                                                                  SHA-256:6CA7A9B8F2600181A4D47FA7090FF37E412687E7EA64BA5CAC4319277BE60C74
                                                                                                                                                                                                                                                                  SHA-512:1819469664C0DDE5ADFDA140313C32F9874301E103FF74E95AC684BAB71D06668299B8092564993727DF380E276B2400C1E1025D9527F637826BFCDFC9D78E66
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................................8......=.=....8......Rich....................PE..L....%.\.....................*.......@............@..........................p......`.......................................4A..<....P...............4...@...`..x... ...8...........................X...@............................................text...|........................... ..h.rdata..D...........................@..H.data...............................@...PAGE.....?.......@.................. ..`INIT....r....@...................... ..b.rsrc........P.......$..............@..B.reloc..x....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20968
                                                                                                                                                                                                                                                                  Entropy (8bit):6.629648031240336
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:uMuUBfWPmqKebW1j2zAAHOOntqVuvTRKzOqUAY8JN77hhecs:JHqKyWMvUutVjO3hob
                                                                                                                                                                                                                                                                  MD5:955C309947C5CAEFFB429DBF12DC13A1
                                                                                                                                                                                                                                                                  SHA1:5079A801E91F9ACBE996FBCAE6D402B7E5FC72D9
                                                                                                                                                                                                                                                                  SHA-256:59BBC2EBBA9CD056FBA8B80FC0E5DA9540D6E50F419216A1BB2A4B3E95AFB480
                                                                                                                                                                                                                                                                  SHA-512:BD4BBE228378466AD50F2B734438DDBD4FE8F6C7C3B573080834321C99E748512BE8511A927D4FD8B00635D320BEF7B245E05F174988F283B4339E1F8CED1BCE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=5.:yT.iyT.iyT.ip,QixT.iyT.iET.ip,WitT.ip,VixT.ip,GitT.ip,UixT.iRichyT.i........................PE..L....%.\...........!.....,..........-/.......@...............................`.......y....@......................... :......|3.......................6.......P..4...................................(...@............................................text....*.......,.................. ..`.data........@.......0..............@....reloc.......P.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_iddcx.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10660
                                                                                                                                                                                                                                                                  Entropy (8bit):7.072232435699263
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:2vBYcjEdZubhLtaSu9sZscF8Bd1LUEduasnZH5:B0+ZKoqZsHLUHPnh5
                                                                                                                                                                                                                                                                  MD5:CCC20AC60F19430FBFDA6D49F164654C
                                                                                                                                                                                                                                                                  SHA1:425253D81B930175321A9B54AB4B6D736D6AF8A2
                                                                                                                                                                                                                                                                  SHA-256:D96B2FBFDD9245EA1D46994183917340912FE9A07AC569B4F70AD51123E55EDB
                                                                                                                                                                                                                                                                  SHA-512:F9B9AB9DCF0286F2A5635DD8BE1DF5F7718017EC580B46A217EC4B77615F7D7F0FEF4484886884A912172BF8F6C16252AD5E982205AACAB73152F65A67951475
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........Q.E..\>.i+...171023021614Z0...+.....7.....0...0....R5.3.3.7.3.F.4.5.5.C.1.1.5.0.1.F.5.3.6.B.3.1.E.4.3.E.0.4.0.D.4.C.C.6.A.8.2.0.3.4...1..K0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........S7?E\.P.Sk1.>..L. 40V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RB.5.5.0.5.C.6.8.0.6.1.6.0.4.1.9.C.1.F.7.1.F.4.A.8.0.8.4.4.C.A.8.5.9.D.3.9.9.F.8...1..K0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........P\h.......J..L.Y..0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.2.E.E.E.C.2.3

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_iddcx.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4514
                                                                                                                                                                                                                                                                  Entropy (8bit):3.7907010583152645
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:9G2XNDctEXHQ+C2C4kqWDZXpbdl5Vjnijla4UAiI6fOgTiYqG585wg3Jp:9XcWEDNRniWI6fyw5I
                                                                                                                                                                                                                                                                  MD5:9CF8CFC1E0815F7D72D136DE87B08EEA
                                                                                                                                                                                                                                                                  SHA1:F2EEEC23EC55758E5072619B62E6851234FA6D3C
                                                                                                                                                                                                                                                                  SHA-256:9CA9C7A430D0B608F1A6ADDD9E2C17BF79845783356CE6230ECA1942A061B157
                                                                                                                                                                                                                                                                  SHA-512:6D3FEE674C83B1E68CAE7F079F74A70931D432751420300DB77DB2B237A88D81AC3CD8B4B82532DCDDEE5D1DBEF3077ACD97B5890DFA0A497B97D7594E3C15F9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .l.c.i._.i.d.d.c.x...i.n.f.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .L.C.I. .I.D.D.C.X. .D.r.i.v.e.r.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.L.C.I.%.....C.a.t.a.l.o.g.F.i.l.e.=.l.c.i._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.0./.2.3./.2.0.1.7.,.1...0...2.0.1.7...1.0.2.3.........[.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r.s.\.u.m.d.f.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_proxywddm.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11975
                                                                                                                                                                                                                                                                  Entropy (8bit):6.929505838705397
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:qRVW/ujEdZubhLtaSu9sZscF8Bd1LUY6uasnZHou49L:k+ZKoqZsHLUcPnhou4t
                                                                                                                                                                                                                                                                  MD5:186504237027590F25BEA0EC539256C8
                                                                                                                                                                                                                                                                  SHA1:A74309D7CFA8EF410EC85D3801D27291E8BC915A
                                                                                                                                                                                                                                                                  SHA-256:4CBD88D04F9C3B3DE3625B25049EA6B7C1614FFEA8730667BFF01DD210415ED1
                                                                                                                                                                                                                                                                  SHA-512:9D4B89A95DBF8D0ABFC55AE44C9CBFB29EB64AB1FFFBB81FFAB4308ED4CFD040F9A883B2B7B7A375B1675DD08532378C38410F4DB737FBDA2913EB28DE18A933
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.....*.H..........0......1.0...`.H.e......0..p..+.....7.....a0..]0...+.....7........6Q..G...Z-.....171023021614Z0...+.....7.....0...0....R3.3.1.5.E.7.A.8.9.7.B.E.4.1.D.7.B.F.9.6.3.D.7.3.4.B.9.E.D.3.4.A.B.4.2.8.B.3.4.3...1..S0F..+.....7...1806...F.i.l.e.......$l.c.i._.p.r.o.x.y.w.d.d.m...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........3...A..=sK..J.(.C0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.1.F.E.C.F.B.D.C.E.6.5.6.6.2.5.C.6.1.8.C.1.4.4.2.3.4.D.6.E.B.9.4.3.9.B.A.C.E.2...1..Q0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........q...ef%...D#Mn.C...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_proxywddm.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2715
                                                                                                                                                                                                                                                                  Entropy (8bit):5.418922446200014
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:qnch1OKbzLbS10bzPbSvb/mwwophwwoJOxWqrz61/zA9cjiJIjgW5FH1519HS4Bc:Pcua1YuSnEhn/A7ic4d4y
                                                                                                                                                                                                                                                                  MD5:07DC873615C74141FB8A646F6FE1D378
                                                                                                                                                                                                                                                                  SHA1:7E2D32A5ACE72B7F3919215B707096B52CC3B5EC
                                                                                                                                                                                                                                                                  SHA-256:F97F4A79BF9ACB0D7FFB257CB3E16687F6281B8687C79361B680764F3427EF61
                                                                                                                                                                                                                                                                  SHA-512:8D59EBD58BFCDBD0115C22148DDFB1DE73E3D0C2AA42B2772B75F12D76BFA4FC3E8356346F0BE9B8F5631443FBCCCFD63354235E701A966CE104BDDC9A4987AD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:;..;..;Module Name:..;..; lci_proxywddm.inf..;..;Abstract:..; LuminonCore Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%LCI%..DriverVer=10/23/2017,1.0.2017.1023..CatalogFile=lci_proxywddm.cat....[DestinationDirs]..DefaultDestDir = 12..lci_proxywddm.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxywddm.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64]..1=%DiskId1%, lci_proxywddm.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1......;*****************************************

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):46528
                                                                                                                                                                                                                                                                  Entropy (8bit):6.272518240848504
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:ql+LPDB5MAHFg6IWSG1ucVPajIyouwc09euwjsV3xnxhc:ql+Lt5X4WSM1a8youwzOsVxA
                                                                                                                                                                                                                                                                  MD5:F018A1846A12B5DFF4A5FB0343745BBA
                                                                                                                                                                                                                                                                  SHA1:C8E871A51E43B5E71A4D1ACA0A791B375CABAC86
                                                                                                                                                                                                                                                                  SHA-256:3E5D8C95805CAECFC1BF5F689F036D1831E375E573F2B0BFFA4BBB59EA36B853
                                                                                                                                                                                                                                                                  SHA-512:7DECEBD14950548436EB110F93A5951ABE42B6CACF8A041F77DFCE923FFB28B6B399EC3166F0D64A1B098F9671F73E43D020977D7EC093F7B786038C4A05C3B8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........N.9./.j./.j./.j.q.k./.j.q.k./.j.q.k./.j.r.k./.j.WQj./.j.r.k./.j./.j./.j'.7j./.j'.3j./.j'.0j./.j.r.k./.j.q.k./.j.q.k./.j.q.k./.j.q=j./.j.q.k./.jRich./.j........................PE..d....P.Y.........." .....X...@......@T....................................................`.........................................P...P................................#.......... ...8...........................`................p...............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...0...........................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):176576
                                                                                                                                                                                                                                                                  Entropy (8bit):6.124833448410162
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:WSNRRE5R1pHa9i/hXYTqHDh3ikNrgfxhxe74bgGY53Urb7:WS67jsKCT2d1NsDgGY5387
                                                                                                                                                                                                                                                                  MD5:37CF508FA1EB389ED85F822BAF9EF9B9
                                                                                                                                                                                                                                                                  SHA1:1720BEFADBD467FD715CE301545BC1FF02DB4681
                                                                                                                                                                                                                                                                  SHA-256:FA4CAC0B0361D85CE6220809FA85DFE3B295A187A7B58DD5FE5B06A7CE19F7FA
                                                                                                                                                                                                                                                                  SHA-512:B90CD035F83245EEDC1FC09ADEDFAC341411CFC47D130B891B2CC83B908F9F683DFFB140AA61F11B7BD15C8A5725070A92659CC567FA58F5879A1790B56833F5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Vj..7.R.7.R.7.R.j.S.7.R.j.S.7.R.i.S.7.R.i.S.7.R.i.S.7.R.j.S.7.R.7.R.7.R.j.S.7.RMi.S.7.RMi.S.7.RMi.S.7.RHi.R.7.RMi.S.7.RRich.7.R........PE..d....P.Y.........." .....r...*.......................................................F....`.........................................`M.......M..<................(.......#...........:..8...........................@:..................X............................text...`q.......r.................. ..`.rdata...............v..............@..@.data........`.......>..............@....pdata...(.......*...J..............@..@.gfids...............t..............@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):131520
                                                                                                                                                                                                                                                                  Entropy (8bit):6.5166932980708925
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:Si+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIo3:h+xNDVCYFB/vqIo3
                                                                                                                                                                                                                                                                  MD5:A9D5E6605391A4CE7E3699D5C39BA851
                                                                                                                                                                                                                                                                  SHA1:54950896563D61917A4A61949E8B3552BC85A061
                                                                                                                                                                                                                                                                  SHA-256:EA06D1A20DDDBF33AA776DE2036651F5B2A2AFF9503A2D7174C11000F92D0396
                                                                                                                                                                                                                                                                  SHA-512:91FB4793621E8FDE6E62074F8545C4AFB636DBFAF3C236E803325DEE7B2CB33F5F1B183D565D11195912CF6DC2BBDA8F472D844AD8AF5C7738EFCB702D71BB59
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0.......Z....@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):115136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.395746141588922
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:7d+TsLFRVW08y8ka9xh+V3Un7C8PcYNzAR2k:R+wpCh+Vk7LPcWE0k
                                                                                                                                                                                                                                                                  MD5:91F0E25E7EDF20F4B262A5419CDF73F2
                                                                                                                                                                                                                                                                  SHA1:3D09164F4298A0EB1EEC978C1D3CA8259AABA326
                                                                                                                                                                                                                                                                  SHA-256:D9EF2E7A55DE74FFB18CFD2CD875089B81416B636CB6BD73A6DAFDDD5E3E0BF4
                                                                                                                                                                                                                                                                  SHA-512:2F4076F08EA9F3960A374F872AA547581811B4D1D225978F4FDFB5E42EF6FE79C491A53B33F7DD1E2B71BE6A281EFE29E7BF8ECFFD660D101F456AC4D456FA75
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C^./.?.|.?.|.?.|jb.}.?.|.?.|d?.|jb.}.?.|jb.}.?.|jb.}.?.|.a.}x?.|.a7|.?.|.a.}.?.|Rich.?.|........PE..d....P.Y.........."......N...N......,..........@................................................................................................(............@...........#......L.......8............................................................................text............................... ..h.rdata..d,..........................@..H.data........0......................@....pdata.......@......."..............@..H.gfids.......P.......2..............@..HPAGE.....R...`...T...4.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc..L...........................@..B........................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25536
                                                                                                                                                                                                                                                                  Entropy (8bit):6.407648101166343
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:FkVsC2/s2Abnkr+YcSIVO67k5hVEi4ZKoqZsHLErHPnhk:nP0bE+YHIO67kLcn2/hk
                                                                                                                                                                                                                                                                  MD5:1FB5DE2628ECB1E835B18FDA9EB0CF29
                                                                                                                                                                                                                                                                  SHA1:560AD3A8FC97187403754FBE2F3DBA056948B6CA
                                                                                                                                                                                                                                                                  SHA-256:D1ADED22243AAF4B8727B064073B9CB1C33214DA01E76D08E69996E52E774538
                                                                                                                                                                                                                                                                  SHA-512:E51BD203950E4D5DF2E26E59D90D8DC7E0B2D767C58688D2CBAB0BFD5ED5C884A72E029A737FCF1E04C908D7404645EDEC609A2E7C42E6BDCA1CDD04AB2169CC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..D.|...|...|..v...~|...|..B|..v...r|..v...t|..v...~|..v...~|..v...~|..Rich.|..........PE..d....P.Y.........." .....6...........1....................................................@.........................................pC.......;...............`.......@...#...p..0... ................................................................................text....4.......6.................. ..`.data...@....P.......:..............@....pdata.......`.......<..............@..@.reloc..Z....p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):41408
                                                                                                                                                                                                                                                                  Entropy (8bit):6.573292469340805
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:jbWmecDs6zvVt94VbJqvhkqskgSjyzFigs2Ktmen4hI:jbM6JX0Jq5kNGcsntmer
                                                                                                                                                                                                                                                                  MD5:33C12C6F8271195C79B755388642FF77
                                                                                                                                                                                                                                                                  SHA1:ABF3438FC7FF738BF3D030AE68BB16CBF4848462
                                                                                                                                                                                                                                                                  SHA-256:086E922B53D801F63043D067A185893E5CD6341394B0E8C253D08D85D14B60A5
                                                                                                                                                                                                                                                                  SHA-512:13B8EEDF0E98476E40DAB4059C6E91C591FA1DD21844151916CA70E1440FE22FA211D53E766D37DF0E494739C7881AF340731FCCAFAE73CAF81733D9FC1E1E88
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................................................A................x)'....x) ..........[......[......[......^.-....[......Rich...................PE..L....P.Y...........!.....N...2.......E.......`......................................%.....@..........................p..T....q.......................~...#..........0l..8...........................hl...............`..H............................text...;L.......N.................. ..`.rdata..\....`.......R..............@..@.data................n..............@....gfids...............p..............@..@.rsrc................r..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):131520
                                                                                                                                                                                                                                                                  Entropy (8bit):6.516896540085767
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:/i+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIo8:K+xNDVCYFB/vqIo8
                                                                                                                                                                                                                                                                  MD5:F67D8A541D407C6886D6358248014B8E
                                                                                                                                                                                                                                                                  SHA1:9E17CD44ABBE3B30E0B52FBC5A6012BEA2CFCE61
                                                                                                                                                                                                                                                                  SHA-256:919ACBEDDCBFE27D12EE44ECD38044D880A68622D7BC412FF81B089746C79E5F
                                                                                                                                                                                                                                                                  SHA-512:674D9427B3F62382AD56EA647FD131CFF2E78CF31D5E7F608191390E752C382946C4CADB26B556F670C8C4A1C9245D1857841527C755BC505295224C4256C495
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0............@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):131520
                                                                                                                                                                                                                                                                  Entropy (8bit):6.517207826538128
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:Bi+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIod:s+xNDVCYFB/vqIod
                                                                                                                                                                                                                                                                  MD5:66541304390931345318FA3802797820
                                                                                                                                                                                                                                                                  SHA1:11B3116900D0BB1D9F49E39788C4C21A6B82954E
                                                                                                                                                                                                                                                                  SHA-256:B9CB315AD55CAD2147AAEBDCCC02055868DAF3EFD9F25384E50E80CE81EC018E
                                                                                                                                                                                                                                                                  SHA-512:852EF5A95F5827E8BCBC437371FFE6B3959AD41F319721E14804BD143E1597753F0DE4DA86864098F11B4F0698831529054D07B3650AECE83DAB2E5A7C51AE2A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0......."....@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):88000
                                                                                                                                                                                                                                                                  Entropy (8bit):6.656236620722421
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:1++m+LZZ3SFkKjrZFWUwTK4gCQ7fBr8UQ6SIDXvjeIg6NhUA0d:1LL73SFHjOUaK4gNoUQ6SE7hXNhUA0d
                                                                                                                                                                                                                                                                  MD5:B36B39A2AA5C15D0167A7D8454AE71A6
                                                                                                                                                                                                                                                                  SHA1:2CD2E7DAF1762A44F4FD4FC84FFC60D84A2AEFA6
                                                                                                                                                                                                                                                                  SHA-256:01871A132386F81DFD4894E9DAEB9433C4BE2A99EBE8FEC954E5182A43E96AF0
                                                                                                                                                                                                                                                                  SHA-512:4BC14EDF6C0A9695764DEAD9C90F502DCDB7F420BD54794539183BFFECD054218290C23C57155EF982F1DAA4B479DAF80B63C7CA643F73AF2A66AC01E96926E4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................................8......=.=....8......Rich....................PE..L....P.Y.....................*.......@............@..........................p.............................................4A..<....P...............4...#...`..t... ...8...........................X...@............................................text...,........................... ..h.rdata..D...........................@..H.data...............................@...PAGE.....?.......@.................. ..`INIT....r....@...................... ..b.rsrc........P.......$..............@..B.reloc..t....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22976
                                                                                                                                                                                                                                                                  Entropy (8bit):6.652405722283548
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:pMuUkfWPmqKebW1j2zAAHOOntqVOviZKoqZsHLEF0PnhjIS:VHqKyWMvUOyncIhjIS
                                                                                                                                                                                                                                                                  MD5:893828FDA5B4026B36C238CBED43BCC2
                                                                                                                                                                                                                                                                  SHA1:B485E255B2F6F1C294BC127AA2BE14A39C346F56
                                                                                                                                                                                                                                                                  SHA-256:CEA46DCCAF211E71DE3895C08E7C9A828C53232EDDBC90C0A6E3552826A8DDFA
                                                                                                                                                                                                                                                                  SHA-512:951598591F2A395F8C5F993A5BD850CED11F43433DF00CF5B12CBAB360949E305A52CDF55A675C8FE59F275432C92D479444C91F71AB39AB342200560972A6A6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=5.:yT.iyT.iyT.ip,QixT.iyT.iET.ip,WitT.ip,VixT.ip,GitT.ip,UixT.iRichyT.i........................PE..L....P.Y...........!.....,..........-/.......@...............................`.......(....@......................... :......|3.......................6...#...P..4...................................(...@............................................text....*.......,.................. ..`.data........@.......0..............@....reloc.......P.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10752
                                                                                                                                                                                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):77824
                                                                                                                                                                                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8367
                                                                                                                                                                                                                                                                  Entropy (8bit):7.279860186543382
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:+2A2RJoIo6vyowJL/aoxhHoe068jSJUbueqw4G:JRaD8YJLFHJ06dUb+w1
                                                                                                                                                                                                                                                                  MD5:092FF1A83123D816B748F0D382792543
                                                                                                                                                                                                                                                                  SHA1:C1D1E85955113B8AAB604107738E6B532FE5C706
                                                                                                                                                                                                                                                                  SHA-256:E81535236E4BDC5534677D05AB3DB67F03283E756233924945CC7D93D394DB5A
                                                                                                                                                                                                                                                                  SHA-512:7A24AF6CEF474663E615F9BCD5780D97D4249AE8D767EB60927A2BF7B7E66B1777486886C7A053C30301F98E22CCD5AAB7877BC47FA5000C34A707806B198864
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7...........cA.....G....081005153941Z0...+.....7.....0...0....R1.7.C.9.C.C.1.B.2.1.1.8.1.0.C.9.D.B.5.7.8.5.3.B.0.8.5.1.7.E.8.E.F.A.A.7.6.D.C.E...1..702..+.....7...1$0"...F.i.l.e........m.v.2...d.l.l...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............!....W.;.Q~...m.0....R9.6.B.8.E.2.E.D.6.3.F.5.4.B.E.B.4.E.0.8.7.7.1.2.A.D.A.7.5.2.0.C.2.3.7.9.C.5.C.4...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............c.K.N.w...R.#y..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RA.9.4.9.3.C.B.6.B.6.B.E.D.A.B.7.E.8.3.E.2.B.8.D.E.C.1.9.5.6.9.2.7.A

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):26048
                                                                                                                                                                                                                                                                  Entropy (8bit):6.292871779652706
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:U2dFSGikkp4cE8WWk2lg0ZeE313MrnCbuSLwJiU:deeJlGMroJIiU
                                                                                                                                                                                                                                                                  MD5:867F3CA0E3A4B57F5BA7519B645AED66
                                                                                                                                                                                                                                                                  SHA1:837676FE5C7B62AFAA4D49E6AC51EDF948AD1757
                                                                                                                                                                                                                                                                  SHA-256:1A392E8731E4F01476C54FB4FD408F590D8530C34E3835081886A0056A91E502
                                                                                                                                                                                                                                                                  SHA-512:27E21584DC54D1996FDFEE2002027061A160E89BD3B7249C017D91900381102674D65282E9B623F002F392BBF8649F0092DE9CB46C70B739A42EE62A3753C8FF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9...W...W...W..=,...W...V...W..=*...W..=:...W..=&...W..=+...W..=/...W.Rich..W.........PE..d......H.........." .....2...........7............................................... .......................................................p..(............`..,....J..........<....@...............................................@...............................text....-.......................... ..h.rdata.......@.......2..............@..H.data........P.......8..............@....pdata..,....`.......>..............@..HINIT.........p.......@.............. ....rsrc................D..............@..B.reloc...............H..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2255
                                                                                                                                                                                                                                                                  Entropy (8bit):5.3700497661675906
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:ehVVpvnf4+BCs00c/9XSvFhb54y83WhJhdYpBBh22wlFTP/7bp:MJfJ00Si4yMyA7DwlFLB
                                                                                                                                                                                                                                                                  MD5:1B4F828FC21AA28C3CE863A31C1F9D48
                                                                                                                                                                                                                                                                  SHA1:96B8E2ED63F54BEB4E087712ADA7520C2379C5C4
                                                                                                                                                                                                                                                                  SHA-256:E7F85212D7708402910830576B0BD84873C24A1339CFD3EBBE5A2939127438D4
                                                                                                                                                                                                                                                                  SHA-512:9CF0E701ADCBBE05652F623A34849910C657FA9536513835D18FD184FAAD47B62C28437237A78494B8E31F5E27C0BDDCD9D4CB5C5B4BEDC56EF0842553AB3064
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg,NTamd64....[stdMfg.NTamd64]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup =

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11712
                                                                                                                                                                                                                                                                  Entropy (8bit):6.137352195821723
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:8hD6YJoIo6vyowJL/aoxhHoe068jSJUbueqycZ:8hD6YaD8YJLFHJ06dUb+BZ
                                                                                                                                                                                                                                                                  MD5:4B6B1EF53636E2C5A9EB9AF291970073
                                                                                                                                                                                                                                                                  SHA1:868C5A226293EEB37C513E106A80B9EE9A01684A
                                                                                                                                                                                                                                                                  SHA-256:25444A485A800E2609AD56179146DD24C41E3E56A10969037D4914BAA452DF53
                                                                                                                                                                                                                                                                  SHA-512:05B3D52E62ABB995B3EA4BEBE7C3D18354124772D97287BAAF4474ADBF9BD537AC258974C1C0B2EC1C7E3779D27D411FE74550FEA77A36D06A6D99FFD0628A7F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:f.q[..q[..q[..q[..r[..V.s.t[..V.u.p[..V.e.r[..V.y.p[..V.t.p[..V.p.p[..Richq[..........PE..d...p .G.........."..................P.......................................p......cQ......................................................dP..<....`.......@......................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT.... ....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\install.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16
                                                                                                                                                                                                                                                                  Entropy (8bit):3.625
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                                                                                                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                                                                                                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                                                                                                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                                                                                                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:setupdrv install

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                                                                                                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                                                                                                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                                                                                                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                                                                                                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):90688
                                                                                                                                                                                                                                                                  Entropy (8bit):6.200545275172027
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:I/QY76jVjfCCHOLvctoA3eDDjEcUVzDOhtMRFS3CZiR3IeSkuH5ysQyMXq:I/QNjfCEoAOD0cUVWhmRLARnSDH5y1yv
                                                                                                                                                                                                                                                                  MD5:6C788D13DEDCD6EB9E022ACA8BD1C3FA
                                                                                                                                                                                                                                                                  SHA1:741A5342618A0AF7AC6E3F947FB3BC128477E237
                                                                                                                                                                                                                                                                  SHA-256:0BB050B230CA684DE7021D9B66303C71F408885163B20166E7047C223E0EE01E
                                                                                                                                                                                                                                                                  SHA-512:9CEEBC23EF82A302250291B0D3584F9CE9328DEA8850F49A3473B6B5392FCE4299AC0535A0F9AAF0A22047293DFD2AC70DF4002E21BF7B1BB1711E9984C9BC33
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nx..Nx..Nx.....Nx......Nx.....Nx..Ny.ENx......Nx......Nx......Nx.Rich.Nx.................PE..d....T.G..........#..........n.......E.........@.....................................8......................................................."..x....................L..@............................................................................................text............................... ..`.rdata...@.......B..................@..@.data...d=...@....... ..............@....pdata...............6..............@..@.rsrc................B..............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\uninstall.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):411
                                                                                                                                                                                                                                                                  Entropy (8bit):4.977180725182127
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:kCdGk3hd0E23B1047V1j47V1u471kgAq3Gn3C:/1RqXRC4R94RQ4dAqqy
                                                                                                                                                                                                                                                                  MD5:2203EE251159885EF20D6970F67529C3
                                                                                                                                                                                                                                                                  SHA1:D775009C08D7EC7F684FC7B657DDC7BCB7DA94C6
                                                                                                                                                                                                                                                                  SHA-256:C3D0070A0EA5BB0708565930199C77E7DC4BFC31A6B368B2F8A7B0239E739304
                                                                                                                                                                                                                                                                  SHA-512:3A1BBF3F460DCDCDE1DE3D5F345973D1827EB717AB7FCA3C3DE5A12E324125EF94D7FFC34F664D5C1763790E3A4189F065DFCA4E0E7FB43E4BEC0DA32255E785
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon64.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd64.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8367
                                                                                                                                                                                                                                                                  Entropy (8bit):7.270789935373524
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:+90+LRJoIo6vyowJL/aoxhHoe068jSJUbueqNb:eBRaD8YJLFHJ06dUb+Nb
                                                                                                                                                                                                                                                                  MD5:80D00FB5201EE5E66D8230B8440A7643
                                                                                                                                                                                                                                                                  SHA1:0DD971723322BB0EC8D7EF71D6389F839F6EBE30
                                                                                                                                                                                                                                                                  SHA-256:C17A1DE10DF4DF8A51E1EE7EDB209E6DEBF34285E327A7C669EF0E04E1BED72C
                                                                                                                                                                                                                                                                  SHA-512:C01F6AB36E2007E18DE27B46CB51BC8896AF5666FE18F39DADB0DC90B0DAAC2AB6580F31B0B15BD83D5453932A1299AE17E8DBA298D20B656945DEB0506F6AB5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7.......r..V5B.r/.9.V...081005153046Z0...+.....7.....0...0....R8.3.5.1.9.D.3.B.C.A.9.2.3.C.F.2.9.A.9.3.D.9.2.E.A.4.1.3.A.5.C.E.D.E.5.B.B.E.0.0...1..702..+.....7...1$0"...F.i.l.e........m.v.2...s.y.s...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........Q.;.<........[..0....R8.7.E.8.4.F.A.7.5.6.B.9.8.F.1.4.3.7.F.F.8.F.8.D.D.9.A.2.D.C.B.6.D.0.6.2.8.5.1.5...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..........O.V...7......b..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.7.9.F.6.E.3.3.5.F.D.E.2.3.6.B.8.1.F.9.D.B.0.D.4.2.F.1.4.8.4.B.7.B

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):23488
                                                                                                                                                                                                                                                                  Entropy (8bit):6.423731919049599
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:QvTfgigZKPBRDwvp5BY83HV8diQFHbsQaD8YJLFHJ06dUb+DQ:QLfpqKZRDMq6HV89HbsQSLwJiDQ
                                                                                                                                                                                                                                                                  MD5:55CB63E6661D7A911C74BF39986336AB
                                                                                                                                                                                                                                                                  SHA1:1F26A92347F58DC9616B611F1E8A29E0E6B94D67
                                                                                                                                                                                                                                                                  SHA-256:9C5E913DB4B4BE861EEC63C071FBCC6A3BC60A0D11949EC47251780508A83E25
                                                                                                                                                                                                                                                                  SHA-512:B31838612588A4CA9BB6B7D5DD0EABB69BF8FD41170FA71A0D7357D31BAFDF3075F0DE070160AFB58DAACEC5BB47EF34316E652DE9421B186F91BDCAA2BF58A2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..k..k..k..k..k.*.k..k.*.k..k.*.k..k.*.k..k.*.k..kRich..k................PE..L...h..H...........!.....,...........1.......@......................................^a.......................................`..(....p...............@..............p@...............................................@..p............................text....&.......(.................. ..h.rdata..q....@.......,..............@..H.data...@....P.......0..............@...INIT....r....`.......4.............. ....rsrc........p.......8..............@..B.reloc...............<..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2243
                                                                                                                                                                                                                                                                  Entropy (8bit):5.362010783542873
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:ehVVpvnf4+BCs0j/9XSvFhb54y83WhJhdYpBBN22wlFTP/7bp:MJfJ0di4yMyAXDwlFLB
                                                                                                                                                                                                                                                                  MD5:AEA986639139A63559A39BE4A9986B39
                                                                                                                                                                                                                                                                  SHA1:87E84FA756B98F1437FF8F8DD9A2DCB6D0628515
                                                                                                                                                                                                                                                                  SHA-256:78A01CCC86628727E603A74BF008DBD95B465031EFA6FB52AB9496293E8470E1
                                                                                                                                                                                                                                                                  SHA-512:37E092646B88E45962737ED696C575F944E15BAD3884442A60D7DE427E8669AE1B3C578CE959D2D304A7668CC84F8F3E0C220A4988D4C15197228466456B3878
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg....[stdMfg]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup = Video..ServiceBi

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11712
                                                                                                                                                                                                                                                                  Entropy (8bit):6.022711070794495
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:+SniyJoIo6vyowJL/aoxhHoe068jSJUbueqrII:OyaD8YJLFHJ06dUb+J
                                                                                                                                                                                                                                                                  MD5:B435F95592AD8E6FC3BACD4A7E89B614
                                                                                                                                                                                                                                                                  SHA1:287FA71A499CB6AA7E806BB6106C7401CD504ACA
                                                                                                                                                                                                                                                                  SHA-256:331F200BCEA80E55743CE8CCF49B18785F70CAF21C13B15FBA9A3A9D32C6A46E
                                                                                                                                                                                                                                                                  SHA-512:53373208640AC22F23B4C56D9C9AC32E0837314E736D14FEAF2A571594886A3D6EF42B875980D39FBE9103C101CDAED43740EB026FFFA6019503E39A85E38086
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}K..9*r.9*r.9*r.9*s.:*r.....<*r.....;*r.....8*r.....8*r.Rich9*r.........................PE..L...j .G.............................@....... ...............................p.......b......................................H@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\install.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16
                                                                                                                                                                                                                                                                  Entropy (8bit):3.625
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                                                                                                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                                                                                                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                                                                                                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                                                                                                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:setupdrv install

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                                                                                                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                                                                                                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                                                                                                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                                                                                                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):5.9219061141523825
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:1zCCrWvSRU7VEBmGDnw29Gz07X83JlcytyCpw:1zCCrM7Uio83JljtyIw
                                                                                                                                                                                                                                                                  MD5:50F6A9509729A6D8D97E29AD259C6A1E
                                                                                                                                                                                                                                                                  SHA1:1AEADFC64CD4D6B9D878F93999A4D571936CCA91
                                                                                                                                                                                                                                                                  SHA-256:C8B3049C278B7E3FE2CFE4D84096A292CC14557EBCC02B8998EB14C83289EB8F
                                                                                                                                                                                                                                                                  SHA-512:71660BEE4D58074B05538DA18F905CBFAF1567C60AA02F7C979571F3D21AC2AD56F19B3B7FEB2430686302222932CB901B0B895C16076EF1963CC93C94311769
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p..p..p......p......p.n....p..p."p......p......p......p.Rich.p.................PE..L.....H.....................`.......<............@..........................p......z_..........................................x....`..4...............................................................@............................................text............................... ..`.rdata...0.......@..................@..@.data...d3... ....... ..............@....rsrc...4....`.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\uninstall.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):405
                                                                                                                                                                                                                                                                  Entropy (8bit):4.932556842608647
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:kCdgk3hdyE23B1047V1j47V1u47jkgAq3Gn3C:/jR8XRC4R94RQ43Aqqy
                                                                                                                                                                                                                                                                  MD5:00A98380A84308DFEDB409827DB9C916
                                                                                                                                                                                                                                                                  SHA1:F31EC578108616125450187C709B6E133425BC25
                                                                                                                                                                                                                                                                  SHA-256:948C84A52F8847798150629B396E29857C0C7EB77550276A000E02B2B9C85A4E
                                                                                                                                                                                                                                                                  SHA-512:73AFAEB0394B470102A05D6E7F1195E60BEFE5469241C5ED182032AC80E54196945E7E9AA9AC2391DC13528E06F3D6C165C4083ECFE6B6F07A1E8F2E30AA5A8E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8403
                                                                                                                                                                                                                                                                  Entropy (8bit):7.26515273733877
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:VafwaRJoIo6vyowJL/aoxhHoe068jSJUbueqO0:VQRaD8YJLFHJ06dUb+O0
                                                                                                                                                                                                                                                                  MD5:9B3AB5B97500F2C39C75EA2910BC6420
                                                                                                                                                                                                                                                                  SHA1:42267EA620E0EF5B0F4DBF25B705F1B3C4D03649
                                                                                                                                                                                                                                                                  SHA-256:32557B63B75CE1DBB761C22092E130561FE6B156CD1D0F96E809E8D0A32E89A6
                                                                                                                                                                                                                                                                  SHA-512:BFEBCC8BA47E7E0F7FA6218E2A057C3ADD8C570B839ACA3F159495024028A9F6408143FB7A34F2EAD66278401898150A497339BEF3E671A3212055EC73056009
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0.....+.....7.....v0..r0...+.....7.........8U<F..n1.L.\..081005153929Z0...+.....7.....0...0....R4.7.2.9.5.6.B.E.1.5.7.7.9.6.F.0.3.4.9.B.9.C.D.9.3.0.D.5.0.9.5.1.B.6.2.F.6.9.B.D...1..C02..+.....7...1$0"...F.i.l.e........m.v.2...d.l.l...0>..+.....7...100....O.S.A.t.t.r........2.:.5...1.,.2.:.5...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........G)V..w..4...0..Q./i.0....R9.6.B.8.E.2.E.D.6.3.F.5.4.B.E.B.4.E.0.8.7.7.1.2.A.D.A.7.5.2.0.C.2.3.7.9.C.5.C.4...1..;02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...0>..+.....7...100....O.S.A.t.t.r........2.:.5...1.,.2.:.5...2...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............c.K.N.w...R.#y..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.F.A.3.A.B.F.9.9.C.2.4.E.2.7.D.8.6.3.9.B.2

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25536
                                                                                                                                                                                                                                                                  Entropy (8bit):6.314384276589044
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:jdxcojc4oPxNtS4v28b3pnd6DABnOSLwJiz:jdj9oPxjNv2YnPdpIiz
                                                                                                                                                                                                                                                                  MD5:52E972E497645851FA910787CC2050E0
                                                                                                                                                                                                                                                                  SHA1:1CE9A93996DFC5F24DF8CAD16E15555BE368B956
                                                                                                                                                                                                                                                                  SHA-256:B0C07A2912B4EC67CA8A37B890DB33A62CC0DB3A733CD6D146FF6F865D6E4B88
                                                                                                                                                                                                                                                                  SHA-512:4CADF2BFA9056A1756BB79C4EB2842E8A9A132544305EAB0F1433AF2C890B24DA3614E5E241A86358CF47FBF7F0A783102850346CAB2FA04B1AEDC9B81C79E94
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9.].W.].W.].W.].V.F.W...,.^.W...:.Z.W.....\.W.../.\.W.Rich].W.........PE..d......H...........!.....2..........0=..............................................g'.......................................................p..(............`..,....H..........<....@...............................................@...............................text....-.......................... ..h.rdata.......@.......2..............@..H.data........P.......8..............@....pdata..,....`.......<..............@..HINIT.........p.......>.............. ....rsrc................B..............@..B.reloc...............F..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2255
                                                                                                                                                                                                                                                                  Entropy (8bit):5.3700497661675906
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:ehVVpvnf4+BCs00c/9XSvFhb54y83WhJhdYpBBh22wlFTP/7bp:MJfJ00Si4yMyA7DwlFLB
                                                                                                                                                                                                                                                                  MD5:1B4F828FC21AA28C3CE863A31C1F9D48
                                                                                                                                                                                                                                                                  SHA1:96B8E2ED63F54BEB4E087712ADA7520C2379C5C4
                                                                                                                                                                                                                                                                  SHA-256:E7F85212D7708402910830576B0BD84873C24A1339CFD3EBBE5A2939127438D4
                                                                                                                                                                                                                                                                  SHA-512:9CF0E701ADCBBE05652F623A34849910C657FA9536513835D18FD184FAAD47B62C28437237A78494B8E31F5E27C0BDDCD9D4CB5C5B4BEDC56EF0842553AB3064
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg,NTamd64....[stdMfg.NTamd64]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup =

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11712
                                                                                                                                                                                                                                                                  Entropy (8bit):6.137468737457105
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:8CvhDWQJoIo6vyowJL/aoxhHoe068jSJUbueqEQ:hhDWQaD8YJLFHJ06dUb+EQ
                                                                                                                                                                                                                                                                  MD5:0469611E7DC0A882D123DC89FE386C01
                                                                                                                                                                                                                                                                  SHA1:7059D4EFBE980F3A355CF8401A33F7EA1E129CD9
                                                                                                                                                                                                                                                                  SHA-256:BFFA6606A5CCD1F79EF7D0F591BD6EE8FDE28C266EA8C8608D423321174CB87C
                                                                                                                                                                                                                                                                  SHA-512:FA1ED8E1A312497A1DCFB73F12D545BA298063250FCDC9E03B4EC71DD86C91743104EB322351F4AD1E33CDD3E412E92595EBA03EE860D013B0A2646BCB467327
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.g'..g'..g'..g&..g'...\..g'...J..g'...Z..g'...J..g'...V..g'...[..g'..._..g'.Rich.g'.........................PE..d...0 .G.........."..................P.......................................p......u.......................................................dP..<....`.......@......................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT.... ....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\install.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16
                                                                                                                                                                                                                                                                  Entropy (8bit):3.625
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                                                                                                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                                                                                                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                                                                                                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                                                                                                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:setupdrv install

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                                                                                                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                                                                                                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                                                                                                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                                                                                                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):90688
                                                                                                                                                                                                                                                                  Entropy (8bit):6.200844475591763
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:D/QY76jVjfCCHOLvctoA3eDDjEcUVzDOhtMRFS3CZiR3IeSkuH5ysQyMK:D/QNjfCEoAOD0cUVWhmRLARnSDH5y1y3
                                                                                                                                                                                                                                                                  MD5:137E02F6D5D1BEB5F8096AA34C93545C
                                                                                                                                                                                                                                                                  SHA1:8550A23A017B440A7D558F4DBC959C643262D803
                                                                                                                                                                                                                                                                  SHA-256:9CE571A987AEE98698D1A70D39A744A416136370D5659B23DE8C1CC523CEEB83
                                                                                                                                                                                                                                                                  SHA-512:38DD0F680C3D906307B0BDD835E035D154F0F65DCB69D25455D81F50F6E1ECC3854A507A26B2C1FE029B05EC1BC7ABB974DDB2190BC06B5808C4A14E243E808D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nx..Nx..Nx.....Nx......Nx.....Nx..Ny.ENx......Nx......Nx......Nx.Rich.Nx.................PE..d....T.G..........#..........n.......E.........@....................................._......................................................."..x....................L..@............................................................................................text............................... ..`.rdata...@.......B..................@..@.data...d=...@....... ..............@....pdata...............6..............@..@.rsrc................B..............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\uninstall.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):411
                                                                                                                                                                                                                                                                  Entropy (8bit):4.977180725182127
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:kCdGk3hd0E23B1047V1j47V1u471kgAq3Gn3C:/1RqXRC4R94RQ4dAqqy
                                                                                                                                                                                                                                                                  MD5:2203EE251159885EF20D6970F67529C3
                                                                                                                                                                                                                                                                  SHA1:D775009C08D7EC7F684FC7B657DDC7BCB7DA94C6
                                                                                                                                                                                                                                                                  SHA-256:C3D0070A0EA5BB0708565930199C77E7DC4BFC31A6B368B2F8A7B0239E739304
                                                                                                                                                                                                                                                                  SHA-512:3A1BBF3F460DCDCDE1DE3D5F345973D1827EB717AB7FCA3C3DE5A12E324125EF94D7FFC34F664D5C1763790E3A4189F065DFCA4E0E7FB43E4BEC0DA32255E785
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon64.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd64.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8367
                                                                                                                                                                                                                                                                  Entropy (8bit):7.272037405136225
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:5otYRJoIo6vyowJL/aoxhHoe068jSJUbueqY:nRaD8YJLFHJ06dUb+Y
                                                                                                                                                                                                                                                                  MD5:89A312ED78E1EDAC37DE5FD1D3E4E0EB
                                                                                                                                                                                                                                                                  SHA1:0F913D609437D8B4C2D9675E66C650C6344B93D5
                                                                                                                                                                                                                                                                  SHA-256:065C1A3537BAE5BB645DAC15E068DE3CAEA40E460DF130A05D3CBFE15831E747
                                                                                                                                                                                                                                                                  SHA-512:A20DF9DEA384F8B52F287A2E16076CA32BF965B46A46B28BF49A1F18F342AA1E19A1B7FA7AD303AC3AB91364D5C18BCF62083360AF54DC5EA9236BD90AB35A1B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7.....H.`.O.N@...B...b..081005153452Z0...+.....7.....0...0....R1.E.2.1.E.3.7.E.C.2.C.6.8.4.8.9.E.7.6.D.5.E.C.A.0.4.D.A.3.5.1.6.B.9.4.3.2.7.5.F...1..702..+.....7...1$0"...F.i.l.e........m.v.2...s.y.s...02..+.....7...1$0"...O.S.A.t.t.r........2.:.5...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........!.~....m^...5..C'_0....R4.5.3.D.8.9.E.E.3.3.4.F.4.7.2.4.3.C.6.C.C.C.5.3.4.A.D.4.D.4.6.9.B.E.3.0.9.7.2.6...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.5...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........E=..3OG$<l.SJ..i.0.&0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.B.0.9.9.7.8.F.8.B.F.D.A.2.5.3.F.D.5.7.9.1.3.5.3.1.2.9.3.B.F.2.6.5

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20288
                                                                                                                                                                                                                                                                  Entropy (8bit):6.695099027186018
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:w69hD4isesPZlFwQUWeFtdg4uS8fHt9ndIeBq6H7LFhaD8YJLFHJ06dUb+C1:w6WesRlFwQg1buSCH3nWB6bLPSLwJi2
                                                                                                                                                                                                                                                                  MD5:775286759FF1211C25A8D65D29024FD0
                                                                                                                                                                                                                                                                  SHA1:1E8A304D9DBCF3C0AA09AA10304B09B99995C54F
                                                                                                                                                                                                                                                                  SHA-256:9581581926651D7A2887FD51CE2D7A330333E47C4F91FB34D7B20C058D9B96D2
                                                                                                                                                                                                                                                                  SHA-512:54D4D0A0547311A6B19D5CB196E98DEF93EB5311F1328FA2B3674E81E157D266B2D8CF78E08E547F3BFE21CA716D4679674B23BCE196D612184840E578DAA806
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................9.b.}...}...}...}...g.......~.....S.z.....R.|.....V.|...Rich}...................PE..L......H...........!.....$...........%.......&...............................3......Jk.......................................,..(....................3.......2......p&...............................................&..l............................text...R!.......!.................. ..h.rdata..q....&.......&..............@..H.data...0....(.......(..............@...INIT....^....,.......,.............. ...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2239
                                                                                                                                                                                                                                                                  Entropy (8bit):5.36119317959271
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:ehVVpvn2vF+BCs0j/9XSvFhb54y83WhJhdYpBBN22wlFTP/7bp:MJQ20di4yMyAXDwlFLB
                                                                                                                                                                                                                                                                  MD5:D6AEB05521710E2006B4A9E8C07C68C4
                                                                                                                                                                                                                                                                  SHA1:453D89EE334F47243C6CCC534AD4D469BE309726
                                                                                                                                                                                                                                                                  SHA-256:F34C416888AEBE90A29948D95BEB8343B7B49CF7E1BB5193716FD97F0330E842
                                                                                                                                                                                                                                                                  SHA-512:13C61423D966A5A670BED20535BF6EA211FAAAC15CAD7D2E1124A855A27360CD7B97BFE01E5EE368A139DE9CA07B236427A2BEAEAD19F7C72FD610876696D82D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=05/25/2004,1.1..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg....[stdMfg]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup = Video..ServiceBinary

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10304
                                                                                                                                                                                                                                                                  Entropy (8bit):6.601225217483284
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:M46n7JoIo6vyowJL/aoxhHoe068jSJUbueqBfg:TW7aD8YJLFHJ06dUb+W
                                                                                                                                                                                                                                                                  MD5:8CD0D603FF051F283CAEE66853622D65
                                                                                                                                                                                                                                                                  SHA1:2BAE5B78077F08564AA8DA2DBD8E91C4692BB211
                                                                                                                                                                                                                                                                  SHA-256:9CF391A95C44F449827004632A3995C66223D24A09CB309CBA2227C94079857E
                                                                                                                                                                                                                                                                  SHA-512:108DC92D80352C3FB2D3EA06B545AA1C19C492506CD0F9C71BF00FF38C97B7BAA840ABD9B33B1E3CE4A154860F1C9301C3504CD1738CC887870025226EA36C32
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................}>..9_..9_..9_..9_..:_...P.<_......;_.....8_.....8_..Rich9_..........................PE..L...X .G...................................................................................................................H...<...............................(....................................................................................text............................... ..h.rdata..............................@..H.data...............................@...INIT............................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\install.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16
                                                                                                                                                                                                                                                                  Entropy (8bit):3.625
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                                                                                                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                                                                                                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                                                                                                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                                                                                                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:setupdrv install

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1150
                                                                                                                                                                                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                                                                                                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                                                                                                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                                                                                                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                                                                                                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):5.9219061141523825
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:1zCCrWvSRU7VEBmGDnw29Gz07X83JlcytyCpw:1zCCrM7Uio83JljtyIw
                                                                                                                                                                                                                                                                  MD5:50F6A9509729A6D8D97E29AD259C6A1E
                                                                                                                                                                                                                                                                  SHA1:1AEADFC64CD4D6B9D878F93999A4D571936CCA91
                                                                                                                                                                                                                                                                  SHA-256:C8B3049C278B7E3FE2CFE4D84096A292CC14557EBCC02B8998EB14C83289EB8F
                                                                                                                                                                                                                                                                  SHA-512:71660BEE4D58074B05538DA18F905CBFAF1567C60AA02F7C979571F3D21AC2AD56F19B3B7FEB2430686302222932CB901B0B895C16076EF1963CC93C94311769
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p..p..p......p......p.n....p..p."p......p......p......p.Rich.p.................PE..L.....H.....................`.......<............@..........................p......z_..........................................x....`..4...............................................................@............................................text............................... ..`.rdata...0.......@..................@..@.data...d3... ....... ..............@....rsrc...4....`.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\uninstall.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):405
                                                                                                                                                                                                                                                                  Entropy (8bit):4.932556842608647
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:kCdgk3hdyE23B1047V1j47V1u47jkgAq3Gn3C:/jR8XRC4R94RQ43Aqqy
                                                                                                                                                                                                                                                                  MD5:00A98380A84308DFEDB409827DB9C916
                                                                                                                                                                                                                                                                  SHA1:F31EC578108616125450187C709B6E133425BC25
                                                                                                                                                                                                                                                                  SHA-256:948C84A52F8847798150629B396E29857C0C7EB77550276A000E02B2B9C85A4E
                                                                                                                                                                                                                                                                  SHA-512:73AFAEB0394B470102A05D6E7F1195E60BEFE5469241C5ED182032AC80E54196945E7E9AA9AC2391DC13528E06F3D6C165C4083ECFE6B6F07A1E8F2E30AA5A8E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):28904
                                                                                                                                                                                                                                                                  Entropy (8bit):6.117643529522381
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:e+YCxM04ZZNXkvT4cTMUBZ17XM/Q3HUL+drIKumXOs:eULtXFULWfZ
                                                                                                                                                                                                                                                                  MD5:87FC012C1B45E780B6CFF6C4F1677C3B
                                                                                                                                                                                                                                                                  SHA1:C8EDB2EA85AE5EC17232F6E4CC5594AFB4805936
                                                                                                                                                                                                                                                                  SHA-256:D09E57690C0E9D6FF7EF26C7DD85F2E6D19C8E7B36CC298AEBAE04B16D59CA45
                                                                                                                                                                                                                                                                  SHA-512:9CD0590444B5FC79CDCD98196D43B027FA17091B49C5246CF9AE97128131BE851D7547BFB5896A2400045CE38901D74A61AEE2DE7D833B178CBDC6EFCC30CBAA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sk..7...7...7...>rn.0...7.......>rz.4...>r|.4...>rj.3...>r`.6...>r}.6...>rx.6...Rich7...........................PE..d...@.@R.........."......8......................................................................................................................(.......8....P..X....T..........(....1...............................................0...............................text...F........................... ..hNONPAGED..... ...................... ..h.rdata.......0......................@..H.data........@....... ..............@....pdata..X....P.......$..............@..HPAGE....G....`.......(.............. ..`INIT.................D.............. ....rsrc...8............L..............@..B.reloc..t............R..............@..B........................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):193
                                                                                                                                                                                                                                                                  Entropy (8bit):5.2470977727549695
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajs/dYV0K8G6Pm/mec99KfRFQi64hA3C:kid40K8GteerfUibA3C
                                                                                                                                                                                                                                                                  MD5:1E14B5A16092F96F382E7CC1291A2B8B
                                                                                                                                                                                                                                                                  SHA1:5CBD16AE4C6570AF42D6DC61C64AC2660FD88F60
                                                                                                                                                                                                                                                                  SHA-256:D547136F9EDF4066EF4E59864EED1D45EEBAE7FBB338F0068C925B6E6212A0CE
                                                                                                                                                                                                                                                                  SHA-512:1B5222F0F87C6C4A651868DFF84A7BB69A3C913257F0665DD955AF411AD9FC7D19AA1242F362BA676474CCEDDAC51D2B3A1AAEBA11BAEFEF899C6D5C0F083509
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe update stdpms.inf *PNP09FF >> inst.log..reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "BlankScreenType" /t REG_DWORD /d 2 >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):207
                                                                                                                                                                                                                                                                  Entropy (8bit):5.345831283284553
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajs/dRLw0K8G6Pm/MWyec99KfRFQi64hA3C:kidm0K8GtfyerfUibA3C
                                                                                                                                                                                                                                                                  MD5:0270238B2339619D2CC54585124D1ED3
                                                                                                                                                                                                                                                                  SHA1:657F624CD74BADB8CB0186731FEDA17A997AD929
                                                                                                                                                                                                                                                                  SHA-256:01D2B51A0E18924936C30611457CAD5C5CC2A803C4CFD45E0850A92F6C55B6D7
                                                                                                                                                                                                                                                                  SHA-512:52A05F90023926CE9274C64CDE925C2C6055439201AF932459D4FED3D823D08164C76695FFEBA1763C4F9D76D52AAB2F86E230603E3DC2FB7664256E1856CFF8
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe update stdpms.inf *PNP09FF >> inst.log..reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "BlankScreenType" /t REG_DWORD /d 2 >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8925
                                                                                                                                                                                                                                                                  Entropy (8bit):7.166871854157093
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:dBsB42FHECwUnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lfr9mlv4:kB4UwUnYPL/p1P6j7Tmu
                                                                                                                                                                                                                                                                  MD5:38BEB031E625E814CFA8F84CEEE2B8FF
                                                                                                                                                                                                                                                                  SHA1:103C875EE0378BA5375A34E731FB2AFFC07939E1
                                                                                                                                                                                                                                                                  SHA-256:D441726A3E82AF0DF1C60EDD17B753E59827789BC50E3E79FE957319085F9091
                                                                                                                                                                                                                                                                  SHA-512:45DAD2545DB7B3A43DA22FB04518320BFE7E601AF053866253A52F887EE7C8919587AB11C448D335758BEFE2633D3D176B022F2E29D2B920F6164A6101F7CC41
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0."...*.H........".0."....1.0...+......0..j..+.....7.....[0..W0...+.....7.......L.L..O..Jm. Ym..130924010058Z0...+.....7.....0..S0....R3.7.4.F.E.D.7.A.4.4.6.6.9.F.1.A.C.7.B.0.7.2.B.0.C.7.1.8.5.5.F.5.B.6.B.0.3.5.C.8...1..m08..+.....7...1*0(...F.i.l.e........s.t.d.p.m.s...s.y.s...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........7O.zDf...r...U...5.0....R7.C.8.2.3.8.E.F.3.2.B.A.3.9.C.D.9.C.9.4.D.D.0.5.4.5.0.A.7.D.E.0.E.D.E.1.4.5.D.4...1..e08..+.....7...1*0(...F.i.l.e........s.t.d.p.m.s...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|.8.2.9....E.}...E.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1897
                                                                                                                                                                                                                                                                  Entropy (8bit):5.40875279355006
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:jshokavrehezNkgyfROQ9gHwuMgHPgHh2v6YgFR:jMokCcakgMgyIMsAegn
                                                                                                                                                                                                                                                                  MD5:A68830A694AB983F0CBF2CC735A535E8
                                                                                                                                                                                                                                                                  SHA1:7C8238EF32BA39CD9C94DD05450A7DE0EDE145D4
                                                                                                                                                                                                                                                                  SHA-256:6F5CA12FFDFF830B32F02AF03C7B385819CC07BB51AC72A20D69B9C51B2E4112
                                                                                                                                                                                                                                                                  SHA-512:581478C5A9488227D0C56E34B7AE353C3FA7068D84023AEC14390B31D24B65BED82FD39590C5A7C4875AD25DEF17FC67ACC97C327D4282AD1E11DD9C260A714C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[Version]..Signature="$WINDOWS NT$"..Class=Monitor..ClassGUID={4d36e96e-e325-11ce-bfc1-08002be10318}..Provider=%splashtop%..DriverVer=06/19/2013,1.0.0.1..CatalogFile=stdpms.cat....[SourceDisksFiles]..stdpms.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,64bits....[DestinationDirs]..DefaultDestDir = 10..CopyFunctionDriver = 12....[Manufacturer]..%splashtop% = Vendor, NTx86, NTAMD64....[Vendor.NTx86]..%splashtop.DeviceDesc%=stdpms.Inst, *PNP09FF....[Vendor.NTAMD64]..%splashtop.DeviceDesc%=stdpms.Inst, *PNP09FF....[stdpms.Inst]..CopyFiles=CopyFunctionDriver..AddReg=stdpms.AddReg....[stdpms.AddReg]..HKR,,DevLoader,,*ntkern..HKR,,NTMPDriver,,stdpms.sys..HKR,,Description,,%splashtop.DeviceDesc%....[stdpms.Inst.NT]..CopyFiles=CopyFunctionDriver....[stdpms.Inst.NT.Services]..Addservice = stdpms, 0x00000002, stdpms_Service_Inst....[CopyFunctionDriver]..stdpms.sys,,,2....[stdpms_Service_Inst]..DisplayName = %splashtop.SvcDesc%..ServiceTyp

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):23272
                                                                                                                                                                                                                                                                  Entropy (8bit):6.296320987470735
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:G7yGlvIydpSkgTyLAykFsAZNOhFB8LHFnYPL/p1P6j7rflo:KyGlvIydQkgTgQFJjrFumXflo
                                                                                                                                                                                                                                                                  MD5:F44EC7AB90115F60EE5C89C40326E637
                                                                                                                                                                                                                                                                  SHA1:01BEC4EA8173F191321300587142A6E750728854
                                                                                                                                                                                                                                                                  SHA-256:C870FAFAD5C6DB27954C0440D9EFDDCE7B9C61D754EF0E77ABF18EFA1055DD90
                                                                                                                                                                                                                                                                  SHA-512:17FD122441EB1B2DBEAD9D79E0B8DB2CB0D581B930DF140069BD77440AA4F9BF4DB80784F261F57253CF3351546817238AAC81B2D68DA74884C46D514C9A9EDA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................fd......ft......fc......ff.....Rich....................PE..L...>.@R.................*...........p.......0..............................................................................p..(.......8............>...............0...............................................0...............................text...l........................... ..hNONPAGED..... ...................... ..h.rdata.......0......................@..H.data........@......................@...PAGE.........P...................... ..`INIT.........p.......,.............. ....rsrc...8............4..............@..B.reloc..|............:..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):429
                                                                                                                                                                                                                                                                  Entropy (8bit):5.13651514908582
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:kWgfeVKfDFGjdCi4eGjdyE23B1047V1j47V1u477lLWNi:ZoDowvei8XRC4R94RQ4h9
                                                                                                                                                                                                                                                                  MD5:F42F2B0F25E41755569A7775A5C6F8BA
                                                                                                                                                                                                                                                                  SHA1:B630C60A3375309731B0B7AC33A9D6E12B44ED50
                                                                                                                                                                                                                                                                  SHA-256:F026A21D6037169A81AC862A79E4F47C674B34914C1DED36BCDDB8739C838F46
                                                                                                                                                                                                                                                                  SHA-512:8D9B9335D4767ACFCF651DB62B2B710CC9ECB402980D6A98982A1EA1C0A6F64FBA9762F2A44673CFE5749EE742F5FE68031FCFF968B4B4D2A290E74A0192375B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..reg delete "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /v "BlankScreenType" /f >> inst.log..utils\devcon.exe /r remove *PNP09FF >> inst.log..utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End..utils\DIFxCmd.exe /u stdpms.inf >> inst.log..:End

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):447
                                                                                                                                                                                                                                                                  Entropy (8bit):5.223602249135668
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:kWgMyeVKfDFGjdd4eGjd0E23B1047V1j47V1u477DLWNi:Z3EDoQeiqXRC4R94RQ4P9
                                                                                                                                                                                                                                                                  MD5:3ADA65DC27A4580E1CF3FDC58A4A8C79
                                                                                                                                                                                                                                                                  SHA1:C1D8A0723FE1C586CEA434297CEF96E4E25C847D
                                                                                                                                                                                                                                                                  SHA-256:21D46DA2DC3808664C0D6028271BE0EEAB25DEFE60653E481238EEE96273E609
                                                                                                                                                                                                                                                                  SHA-512:B55E5E2CD2C1E48C526DEA70C075810F019942A72C2B0BBEF31E2DC8337B104ED5EB199AD6F0D8A16C6DFF3353193E647011A3E80762E47C9E7C13C6FCD4DBB4
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..reg delete "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /v "BlankScreenType" /f >> inst.log..utils\devcon64.exe /r remove *PNP09FF >> inst.log..utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End..utils\DIFxCmd64.exe /u stdpms.inf >> inst.log..:End

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10752
                                                                                                                                                                                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):77824
                                                                                                                                                                                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):207184
                                                                                                                                                                                                                                                                  Entropy (8bit):6.508603224700573
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:SJzsVxRROApObap+CPSxzqNJ3pvfsFMV2+/SRVDB:SEOb5x2NxqFMi
                                                                                                                                                                                                                                                                  MD5:BDF578CA45021464EB4C5F2725FADE13
                                                                                                                                                                                                                                                                  SHA1:17FD8DD28EBE232EDB4A7D5B4A9734D6F48212F3
                                                                                                                                                                                                                                                                  SHA-256:F9711EC83463C8D7D8D3C2E0493BBDD9C55D55869AD49E327CC1F0612A836B51
                                                                                                                                                                                                                                                                  SHA-512:611999852027F5E52A786F4C22A77AF75EE3ECB1584AC1F061100248D19AA1C45C31665A38A46604B1D489A049D3CE00EF43DA7A5E427A3A7C1A5EFA0D874526
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.5.3..<.....5.3.*..5.%.B..5.4.=..5.".k..5.2.=..5.7.=..Rich<..................PE..L....N.\...........!.........v......8........................................P............@.........................@...}...\...........................P.... ......@................................T..@............................................text............................... ..`.data....>..........................@....rsrc...............................@..@.reloc.../... ...0..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):214992
                                                                                                                                                                                                                                                                  Entropy (8bit):6.578816818366091
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:1yYZVBVmekQ5ncHc43wAmaxEJg3tNqYU51pQ8DfqXF7q9B24CvJ6BAQ:1y8Vf1uTHNqYUH+8GeMvJ4t
                                                                                                                                                                                                                                                                  MD5:DDBCBCED9CCBA27D296B680D04178B1D
                                                                                                                                                                                                                                                                  SHA1:5BE1EF49678E4F9250B675DFE595DF1219DD7EF9
                                                                                                                                                                                                                                                                  SHA-256:B23B42E24EAB4E2F1DD94711EEC741F94D39F5EBAF238820A0B9D464522C24D2
                                                                                                                                                                                                                                                                  SHA-512:B913058A50A4235925F208E9FA8740DDA1A070168285401FD9C9032C0CC782887F5D92A0D68796D7473E61EE8DDC1E863503C288CAD1F99C233A0DEDE37CB314
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mX.])9r.)9r.)9r.oh...9r.oh..<9r.oh...9r. A..&9r.)9s.G9r.$k...9r.$k..(9r.$k..(9r.)9..(9r.$k..(9r.Rich)9r.........................PE..L...-..Z...........!................(C...............................................:....@.............................Y............P...............0.......`..........8...........................8...@............................................text...p........................... ..`.rdata...e.......f..................@..@.data....4..........................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):147280
                                                                                                                                                                                                                                                                  Entropy (8bit):6.480280521349599
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:Sooboos//G/jWDiNza6LR07qZ2bzl409+E/PXwCSp6WKsAqHew+1l7niE:SooyFiJRmbzl4mZYYqHz+1l7iE
                                                                                                                                                                                                                                                                  MD5:4359D841792BD3A711065BD347503ED4
                                                                                                                                                                                                                                                                  SHA1:ED3DA69B4DAAEE1E3C6A35B9B22A3608C210B845
                                                                                                                                                                                                                                                                  SHA-256:D8BAC61DF2126D9203B3823AA40AF05FE7B6F9C5122DEBAB5F8CEADD1119773B
                                                                                                                                                                                                                                                                  SHA-512:F1FB6B25199CDBD0C40CCCEB069CF3DC32DEEDC2F21C67CC8C22A189115389795B435631EEA30A94EDE19331FACF475A4BD7163522D9AD0EC1DF6118D1E05EAB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V..V..V..._..V..V..V...Y..V...O..V...^..V...H..V...X..V...]..V.Rich.V.........................PE..L....N.\...........!.........`.......q.......................................p......Y.....@.............................{.......x....0..............."..P....@......................................P>..@............................................text...;........................... ..`.data...@2..........................@....rsrc........0......................@..@.reloc..D$...@...&..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):160080
                                                                                                                                                                                                                                                                  Entropy (8bit):6.481630469427064
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:CizpEi8PNuoyZLy39r4BRyFr8Tjqe1LP+0hORlE:CUpX8FYFyB8T2oyRa
                                                                                                                                                                                                                                                                  MD5:1E478E7F7D20800B958E2D1780C805F6
                                                                                                                                                                                                                                                                  SHA1:F166DB5211F695BA039DC81C246653EC1B25DC02
                                                                                                                                                                                                                                                                  SHA-256:9989C6791433F8B7FD05F4750F79F9082DBD28087948A366EA695EAC983150CD
                                                                                                                                                                                                                                                                  SHA-512:852EFB6AE48B3C4BAD4B8E11DC46AAA4CA37A501AFD568B469BB9ED43A27086916588F370286DD1F51834037777C4D2518310A37A469AE7BE19CFE36F08A98D3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c....j..j..j.z...j..k...j.z...j.z....j.z...j.z....j.z...j.z...j.Rich..j.................PE..L....N.\...........!.........b......%........ .......................................r....@.............................z............`...............T..P....p.......................................C..@............................................text............................... ..`.data....2... ......................@....rsrc........`.......&..............@..@.reloc..t&...p...(...,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):194896
                                                                                                                                                                                                                                                                  Entropy (8bit):6.4942111692959354
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:0w8OfdMjstdIxIImJZDpwmw6jse70oSzhiVjkXIS1qPfb3PPqFSqQovoRe9C86/9:0w8wZDxspqPfbuSqQCoSz6/e1+1FiAx3
                                                                                                                                                                                                                                                                  MD5:F0FCF6CB5986E267A978A0DF86471563
                                                                                                                                                                                                                                                                  SHA1:214F4BB84F7A1981D30B7C4BC13C7B3E4A5CC8B3
                                                                                                                                                                                                                                                                  SHA-256:34E4A968A87692DA8A2EF073ADD7E19F32009709B50F7C747D1D8BF261C21CBC
                                                                                                                                                                                                                                                                  SHA-512:529DFD1E587BE6EA67B464C44CC7A0C1B0F6A9CD663590E7BD0083CC7A68DD8F60FC1E81E26012D71CF5C8BD5EFF4B2FB477D5DBEF3FFA1FF4136CE266B5DA6F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c!...O..O..O.z...O..N...O.z...O.z....O.z...O.z....O.z...O.z...O.Rich..O.........PE..L....N.\...........!.........h......Z}....................................... .......g....@.............................|............... ...............P.......4... ................................M..@............................................text...<........................... ..`.data....3..........................@....rsrc... ...........................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):245584
                                                                                                                                                                                                                                                                  Entropy (8bit):6.433639873152362
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:0w+rqKMvEZF6VPvVpb1eTjLp8D3qkTmII9b9zC+l+smDP00IPWx2Wuw:0drWgFEPNB+MPTHIWjP00Ie3
                                                                                                                                                                                                                                                                  MD5:FE4F22128776F52062DD8FA74D0B5075
                                                                                                                                                                                                                                                                  SHA1:3A15B1AD0B5D62D474319A3DB95D985B49537BF1
                                                                                                                                                                                                                                                                  SHA-256:EC4D01234426AAC9FF2751B209B0484769BEE97A0DC930B1B56A1743CD24B805
                                                                                                                                                                                                                                                                  SHA-512:163A78CB59061B4B9BE98DC763109744BBBEEDAF8B3CB7EB19A22334AC1F9223880C0E8684FEB4B363C824D9918E72E1B94D5F76AD63235F8C49ADEFC3713637
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.Cr.Cr.C{.2Cy.Cr.C..C{.4Cg.C{."C..C{.3Cs.C{.%C*.C{.5Cs.C{.0Cs.CRichr.C................PE..L....N.\...........!.........................0............................................@..........................(..k.......x........!..............P........,.. ...............................xO..@............................................text...+........................... ..`.data....@...0...$..................@....rsrc....!......."...B..............@..@.reloc...=.......>...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):238928
                                                                                                                                                                                                                                                                  Entropy (8bit):7.071067596161183
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:OG9NqQQHPItXExQNj+mB92u+CW5D37LnuHc45X0T5/uyFNJpfUarTtBB:99AP2b+mBQVJLnYlETtug5T
                                                                                                                                                                                                                                                                  MD5:2A397EFDA6D84A15B890D56D4292BA6E
                                                                                                                                                                                                                                                                  SHA1:F985E4893119E6C30191DE84DA25059B33F902A8
                                                                                                                                                                                                                                                                  SHA-256:398AEC7557E2E1DB30EFCA6FDA0D7D23940B863B396C1A4FC2BB588294F595E6
                                                                                                                                                                                                                                                                  SHA-512:A199C2FF26C3A3E1DA54D8386F568FA900B853FE3D3754100904EF3153CD72D672971FF72141D9AE5F5BC467D59E2DDC69856C761BBA9DA4488FC69F52A9E5E0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................_.........B....Y......O.....^......H.....X......].....Rich....................PE..L....N.\...........!.........t...............@............................................@.........................p<..|...<1..........................P...........P................................C..@............................................text....,.......................... ..`.data...@2...@.......2..............@....rsrc................H..............@..@.reloc...*.......,...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):249168
                                                                                                                                                                                                                                                                  Entropy (8bit):6.2058943183487445
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:E/vPLr8AhQh4jhNgZzSNPSVlX4T1FrKT7EjUOkdny+ywlJZcWzV8TMXU7o91y4Rd:i3LIl4XgsSVloTnPYdn7lJZRZ8QXqsJ/
                                                                                                                                                                                                                                                                  MD5:EB8DA0234C4D7C7A58B8FB820AFB4BD2
                                                                                                                                                                                                                                                                  SHA1:1DED1192371D0B0BF17F5AC908A96A1499C1CABD
                                                                                                                                                                                                                                                                  SHA-256:88F7BDCB33CDC34B5E8834634A36E2B6A45015016C47EFE4B846A4D202326093
                                                                                                                                                                                                                                                                  SHA-512:789725D38C041CDC311065E7987CC7E79F9A6C00E2F3ABD37096A04F81258636AB0DA6B99F895CC80DA9F770DB0C594EB8467CCA1B77854E091F8FA18F19200D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.V.z`8.z`8.z`8.s...{`8.s...u`8.z`9..`8.s...s`8.s...O`8.s....`8.s...{`8.s...Y`8.s...{`8.s...{`8.Richz`8.........PE..d....N.\.........." .....H..........................................................]@....@..........................................U..}....J...................)......P.......`...@................................................................................text...-F.......H.................. ..`.data....O...`...*...L..............@....pdata...).......*...v..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):237008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.30179636306813
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:B+2HsTNg3ex5PUwoEK2dvK7PnGxOkf9V3QhjTvI9Nle9owmPDXpUIJonb:BDHsT2qvoEKMAGxOkVJQhjTAEgY
                                                                                                                                                                                                                                                                  MD5:7DD3CA728E061F9C438209935DF41FD8
                                                                                                                                                                                                                                                                  SHA1:D291C17619FB2E9B8A4CF07B53A56DC60CFB4C8E
                                                                                                                                                                                                                                                                  SHA-256:F19F300E4623E3B57F870D8E4B150F2E70D29E6CB47750671D53667BB0804202
                                                                                                                                                                                                                                                                  SHA-512:E7D0AB0EB37F6B245B1EBDE46C2D9184AB801EB659E4F4ED7C2AFD07843A1646612290AD3C315EE9BF7FC1A9425B58E2A03810014DDBB621EB46B331AA2E753E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w..w..w...&..w...&..:w...&-.w..c.9.w..w...w..%..w..%..w..%).w..we.w..%,.w..Rich.w..................PE..d...+..Z.........." ................|N..............................................;.....`.........................................`;..Y....;..................0!..............T...@...8...............................p............................................text...[........................... ..`.rdata..............................@..@.data....?...P.......8..............@....pdata..0!......."...T..............@..@.rsrc................v..............@..@.reloc..T............~..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):168784
                                                                                                                                                                                                                                                                  Entropy (8bit):6.240155377344884
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:l0fRIF+SwIL9Bagg2mCEPToX/ITpu0uOpDSgb2WXa+qM5F:CfaCIJbglCe1Vu0uIDSlOF
                                                                                                                                                                                                                                                                  MD5:77C729F857CFA38CFE4FCB18EE8F6BAD
                                                                                                                                                                                                                                                                  SHA1:938F96F880E824D03F1174C3D1CD56922452E5CC
                                                                                                                                                                                                                                                                  SHA-256:C1C016F2917B395A16936C692C35B8E6CC4C0196C26BC69AA8A686747BA690AD
                                                                                                                                                                                                                                                                  SHA-512:F921A945EFAD2DF95BAB6574029D6E4502A1C2D52E44550547CE2C812E8D06E8120F9EAB07F728E97F17C4949CC112F20E59938906E0F26988E4F79903BCF658
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#U..pU..pU..p\..p^..pU..p8..p\..pT..p\..p\..p\..pe..p\..p"..p\..pT..p\..pA..p\..pT..p\..pT..pRichU..p........................PE..d....N.\.........." .....*...j......................................................w.....@.........................................`8..{.......x....................v..P...........p................................................................................text....(.......*.................. ..`.data....?...@......................@....pdata...............L..............@..@.rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):187216
                                                                                                                                                                                                                                                                  Entropy (8bit):6.244838939180771
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:sSUAV0AVZrAVOVrHYapV5Ddr1oxkg9gh0CBEACcodM5nY+WVFGoK4:jvPb6OVrVNJ1ufqBEACjGK
                                                                                                                                                                                                                                                                  MD5:8E2C3434811B348F7AB9F7DEC6E95C3B
                                                                                                                                                                                                                                                                  SHA1:349682719857DB46E4A7EBFCEF0F85264B3116F3
                                                                                                                                                                                                                                                                  SHA-256:11F45D049C8FABF308944D77D17AB3FBB0A7BB5BFA143263B9EFBECA3A568EE3
                                                                                                                                                                                                                                                                  SHA-512:C271F2BBED3E740D771AF1A3BF684F4CB67C8F9B0D20E7D886817602F76BE8A432B05AB4E2AC8FDFCEEAA194602C81D8C9FFE6E015D224C6DC9C40F125365F5D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...Z...Z...Z......Z...[..Z.......Z.......Z......Z......Z.......Z......Z.......Z.......Z.Rich..Z.................PE..d....N.\.........." .....n...n....................................................... ....@.........................................0}..z....r..........................P...............................................................X............................text....m.......n.................. ..`.data....?...........r..............@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):244560
                                                                                                                                                                                                                                                                  Entropy (8bit):6.236867435454928
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:RuctDSdRbMOiymM/Cufn5B+1jowgreeTwcL:RqXMOFmA5VwgBE0
                                                                                                                                                                                                                                                                  MD5:61BD6282DB08405FD08C64BC00CEBF4B
                                                                                                                                                                                                                                                                  SHA1:EC4391249AE7247162C0D28B50ED73B1DCD11246
                                                                                                                                                                                                                                                                  SHA-256:A3BF8ED5ACCB8EBCA5C9A4430FA54A492E39160AE2BA51285D241D75F1743848
                                                                                                                                                                                                                                                                  SHA-512:DFEF9209C57E890F7D29280F6A296C5A9D1C3F496464C9EEA28DB0E1C407F2C5042DF926D442480359A120A93D8C44536C5A0C119C3AB6E7D15685F157E28DD6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kNgi//.://.://.:&W.: /.://.:R/.:&W.:./.:&W.:&/.:&W.:./.:&W.:W/.:&W.:./.:&W.:./.:&W.:./.:&W.:./.:Rich//.:................PE..d....N.\.........." .....>...~......`.....................................................@..........................................L..|....@.......... ........*......P............................................................................................text....=.......>.................. ..`.data....A...P... ...B..............@....pdata...*.......,...b..............@..@.rsrc... ...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):333136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.120290709944056
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:TJNLhV1jxjcVfgFf6QlJpYw4MxuiMRZI7CPdxV4eZ+PyRPP00Io:TJ1j1aVfgFiQ/ug/G1
                                                                                                                                                                                                                                                                  MD5:8EFFB8A42CBC831CD360E9B1BEF65D98
                                                                                                                                                                                                                                                                  SHA1:BA78110DA11B7C8C6432F1A128B7D9DF384AE9FD
                                                                                                                                                                                                                                                                  SHA-256:ECB1BCEA47422DBFD4326669AC5B2DB463088994B12008258EFF2C546237864F
                                                                                                                                                                                                                                                                  SHA-512:B29D4B954619355A2797A4CA88664BC9679AD1C5EB4A2FE54BAE63399DF06405969B4E2D0098AD6A7C8E0C7A2A9E19F0DE20C5B1D401D933D89D2D71F7A32789
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f2Ji.aJi.aJi.aC..aKi.aC..aAi.aJi.a?i.aC..aCi.aC..azi.aC..a>i.aC..aKi.aC..aci.aC..aKi.aC..aKi.aRichJi.a........................PE..d....N.\.........." .....P...........N.......................................@......5C....@..........................................]..k....S..x........!.......:......P....0..........................................................P............................text...[N.......P.................. ..`.data....V...`...6...T..............@....pdata...:.......<..................@..@.rsrc....!......."..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):273232
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8361644522698635
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:7j4c/JPjXOQTuGkfIpmWpnETJLnYlETtu/:7j4cBbEZTTJDY+0
                                                                                                                                                                                                                                                                  MD5:C52E66AE497C51CF73098D494EEBF8F0
                                                                                                                                                                                                                                                                  SHA1:8E7E38F30FAD35D8ED935B14FFA1BB5A9EABE4D0
                                                                                                                                                                                                                                                                  SHA-256:F6F7D5C20A078BE7ABD2402316A605F050388C6303D7F3ABC45F201D1FC5F1FD
                                                                                                                                                                                                                                                                  SHA-512:579E0DD63720B6D004FFBE6AE1686F43B70CEB8722DAC70FD06E5B06682C0F22282374D5394C06398252A2EA8163EA884239A8065EC5807DE1A9389A479CFC36
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}?...QH..QH..QH.d.H..QH..PH?.QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QHRich..QH................PE..d....N.\.........." .........................................................`............@.............................................|............0...........$......P....P......`................................................................................text............................... ..`.data....>..........................@....pdata...$.......&..................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\install_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):867
                                                                                                                                                                                                                                                                  Entropy (8bit):5.162389785193304
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:k8rGqwAcK/EyAZRVowyyAcK/E2kam0LYDeegidym0EZkBqq6JFpYpFSqq6JFrmp5:XrWWFwD7WR8mI/xOZE
                                                                                                                                                                                                                                                                  MD5:013784DA9890EAB3D914505857EDF2B7
                                                                                                                                                                                                                                                                  SHA1:92C9CA11174E98F65AD6898705176ED50EF55F95
                                                                                                                                                                                                                                                                  SHA-256:CDA5DEBA2BE6CFE1E111DF596AC08D45762A96B14AEC796C4E70F128C0734EAC
                                                                                                                                                                                                                                                                  SHA-512:9D71BEE329BDDA3B8EA064BB92813062D91079BA841AE50D6CC7D2AEAD27D49279D2857141C02BD5FA565D5C497E9E8E8163579A425F7C87550F1F0EFC194652
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\install_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):879
                                                                                                                                                                                                                                                                  Entropy (8bit):5.190136582088596
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:k8rGqwAcK/EyAZRVowyyAcK/E2kam0LYDfyegidym0EZkBqq6JFpYpFSqq6JFrm7:XrWWFwD7WR8fCI/xOZE
                                                                                                                                                                                                                                                                  MD5:0A0EE03D0C51915B2815280B476530F4
                                                                                                                                                                                                                                                                  SHA1:6C074D8E0D462B6E6D0CC5C02BABB88D483E3551
                                                                                                                                                                                                                                                                  SHA-256:C3FB7578267FA09C4446C926532FD869DD8E74CD20AF2915BBEE32DB4D647C9D
                                                                                                                                                                                                                                                                  SHA-512:85EC5D2898892F847618D7A10D7DD680839A3D0E55603D56C5C39568E8D7B0F63F7A10BF4B063611B9ECD395BD73B89010B421ADD481CDBEF0A50B3770A9C9F8
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_mount.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):214
                                                                                                                                                                                                                                                                  Entropy (8bit):4.631936044721133
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:Hjsm6y9jcK/ES2d6y9jcKZS2bVXzLYwkrnRS2n:DWAcK/EyAcKZRVowyh
                                                                                                                                                                                                                                                                  MD5:88E59700F53DE95D2847B9687764BE30
                                                                                                                                                                                                                                                                  SHA1:CD5780DBF1C711B9C28DC001F4149BA3251BECF7
                                                                                                                                                                                                                                                                  SHA-256:B085F4E0D6A7A4DC967C96D7C318CB749BC497135FD9E35D7AD0C88E6C53F577
                                                                                                                                                                                                                                                                  SHA-512:6E7D2FD4CF87B63BAB39E225362ECBE60F52FAB0DA42C97834B8EA59D653CDBD06B98E2C490C5465B1999AF2F7869F729CBFC34E55D5ECC768D85D48B9874374
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:cd %~dp0..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_unmount.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):203
                                                                                                                                                                                                                                                                  Entropy (8bit):5.068283784998216
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:mKDDQFGCTWYdym6F9K2MLgZ+X0KcK/F+N7oaf/DEd7/JQF9K2MLgZ+X0KcK/FvK2:hsICTJ6y9jcK/ePD0Sy9jcK/ES2uz
                                                                                                                                                                                                                                                                  MD5:FA3C191799254E542687F1F5D0974BC5
                                                                                                                                                                                                                                                                  SHA1:DC85AAC2AA31CD3DE9017E7E099581457AD4FBF2
                                                                                                                                                                                                                                                                  SHA-256:347B12E6E2FC79E2A3668625341D7642D531159FFE5B01AB2BC5469E0EFC6B3F
                                                                                                                                                                                                                                                                  SHA-512:635689814E63084910541BA68FE8ADE8FDFBC3D0100AFD61DDD13D07E61F3478BA75E4D24AA7B26DF21A3E46C4ED2B1C8789520C5634CAC63CFE32DCB1E8686E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:@echo off....IF [%1] == [] GOTO RunDefault....rundll32 printui.dll,PrintUIEntry /q /dl /n %1..GOTO :EOF....:RunDefault...rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"...GOTO :EOF

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17908
                                                                                                                                                                                                                                                                  Entropy (8bit):6.33935778048778
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:fNDJbjaXGStblM2wk0mev6/9IDRfupdYpJIBbIgx+4lMrp2/CsECw8nYe+PjPVhc:n3dw75xa1Sw8nYPLVhtOUez
                                                                                                                                                                                                                                                                  MD5:2DAC6568B843EBDC5C98598CA32918BE
                                                                                                                                                                                                                                                                  SHA1:E7740E4BE7F71A82ADBB6E5224D33534E237614C
                                                                                                                                                                                                                                                                  SHA-256:EB61A0E06BF8C69597F9BB1909E3EB4F926E49800C3F9721FDA3007993DA5EE7
                                                                                                                                                                                                                                                                  SHA-512:1BC8AA82E68911F5EE1835D19CF49A736C1C35C2F6B4FCD48C3C6FCF7FF6958400D1E815C5E891E172AF9035232175BB00E8A21F5A0590F02DC683F45A6C3D8B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.E...*.H........E.0.E....1.0...`.H.e......0.)...+.....7....(.0.(.0...+.....7....."@..g.O........190419043016Z0...+.....7.....0.(*0....R0.7.B.D.E.B.D.2.1.F.7.7.9.4.E.8.9.E.A.B.D.7.8.5.2.7.7.0.F.9.C.3.C.7.E.4.2.5.0.6...1..Q08..+.....7...1*0(...F.i.l.e........x.d.b.o.o.k...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.............w...'p....%.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R0.9.2.2.5.D.8.6.A.4.8.9.4.8.1.5.2.D.E.3.A.F.3.4.6.4.9.1.B.8.9.3.5.7.9.2.5.3.C.A...1..G06..+.....7...1(0&...F.i.l.e........x.d.n.u.p...g.p.d...0E..+.....7...17050...+.....7.......0!0...+........."]...H.-.4d...W.S.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.3.F.C.5.E.A

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2793
                                                                                                                                                                                                                                                                  Entropy (8bit):5.507689832444162
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:JQUio6uDhMM/s4244P8/CW2T8/C0kApvgJCrC1sJCr+6pqEsXncT9tuhcOYEZ53t:JQUiRKhMostT9Ap4sr4ssraXx
                                                                                                                                                                                                                                                                  MD5:313535621266212971E303AF0AF4FE21
                                                                                                                                                                                                                                                                  SHA1:D81F9D3F7B638DE5EFCA0ECB0162A76485E2C2BF
                                                                                                                                                                                                                                                                  SHA-256:0B60A283CB98034CEE13118BF1F885A644479CC6F4B19D9E4D24A5FEC6064A1F
                                                                                                                                                                                                                                                                  SHA-512:8A1A716A2CAD85410F009EE0CDF570F4CA36E3A182927CA5B836F3FC0BEE466F0C4E8B583694A6A4014CE60C45A2439119BF0C1ADDA0ED168053E9F08A6DF608
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[Version]..Signature="$Windows NT$"..Provider=%splashtop%..ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}..Class=Printer..DriverVer=04/19/2019,10.0.10012.16386..CatalogFile=stprinter.cat....[Manufacturer]..%splashtop%=Vendor,NTx86,NTamd64,NTx86.6.0,NTamd64.6.0....[Vendor.NTx86]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTamd64]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTx86.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[Vendor.NTamd64.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[INSTALL_XDSMPL_FILTERS_PRE_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..PrintProcessor="MS_XPS,filterpipelineprintproc.dll"..ConfigFile=UniDrvUI.dll..HelpFile=UniDrv.HLP..DataFile=XDSmpl.GPD..Include=NTPRINT.INF, MSXPSDRV.INF..Needs=UNIDRV.OEM, XPSGPD.OEM, XPSDRV.OEM....[INSTALL_XDSMPL_FILTERS_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..Confi

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2543
                                                                                                                                                                                                                                                                  Entropy (8bit):5.42985763446162
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2uMRFNu4TMlWaDqFNQ29ZNlV2MK712DJNzaMR1X2kKJzgSZwlQXV2MK71euV2MKc:QFQ4ShC66ZLq7UAq7zq7o
                                                                                                                                                                                                                                                                  MD5:C228BF417378FD98E4229A2BA3054CAE
                                                                                                                                                                                                                                                                  SHA1:175CCDA93EF8EDBFAB2F1BE507F64690FE5BECE9
                                                                                                                                                                                                                                                                  SHA-256:1DFD5E0AD2765E39A614EF56603A749C095DDC00E6F50079CDDDA8E18159E73B
                                                                                                                                                                                                                                                                  SHA-512:6F9D65AA46B702E55D34532A37B33993AD53AB305679768F419A74B8CE2EF8C494CC877606C3C663545111F1189CE4456798D465C1A5EB4F7B6708DEB2A6B719
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..utils\DIFxCmd.exe /u stprinter.inf >> inst.log..utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows NT x86\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\3\xdbook.dll"..del /F /Q "%

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2513
                                                                                                                                                                                                                                                                  Entropy (8bit):5.408021383480619
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2uMRFNu4TMlWkDqFNQ4ZNlV2MK71AynXV2MK71euV2MK7153w3uV:QFQ4SDC64ZLq7xq7zq7Z
                                                                                                                                                                                                                                                                  MD5:DB05A3CA2E7604DC2E29A922A4545075
                                                                                                                                                                                                                                                                  SHA1:0430C36BD56EAC3F65E0060CE91DC60E31F822C5
                                                                                                                                                                                                                                                                  SHA-256:9E0BD257BFE859F462EEE9E0F1DC20768425F73C9E90B0F7F5EE450726FBB56F
                                                                                                                                                                                                                                                                  SHA-512:9FDD486F4F7F5D1ED3CBEF4A2246416F88643E27E76D79A433E5450D8790BA264C3219555A0CB57602BC2E3F884C1E1449EA0688D59355D68E23DBE9499F8B60
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..utils\DIFxCmd64.exe /u stprinter.inf >> inst.log..utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\x64\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\x64\3\xdbook.dll"..del /F /Q "%WINDIR%

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10752
                                                                                                                                                                                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):7680
                                                                                                                                                                                                                                                                  Entropy (8bit):5.202360830491015
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:6HbQ34Dthj/wKzGMdCprD4iZ7F+gUABoTndoIvJJGtVAm6XyC7tCEqqb:6Hs4thgNDZ7F+gvqdHvJJ4VR6XPnb
                                                                                                                                                                                                                                                                  MD5:B6CA717203EF9E8DD1205CAC5D3AF38F
                                                                                                                                                                                                                                                                  SHA1:818438149A92551042A5D2ABD9000DBE67D93C67
                                                                                                                                                                                                                                                                  SHA-256:66986A04FDEF120D7F18351648A8737979DFAA3CA82F6504B3EA14F45BEC130C
                                                                                                                                                                                                                                                                  SHA-512:99D21F55B7E754A2D6063BE9302874D757344893CB496F574C2DB7F124071C361894508BADF7137B17A572EF9792F7E3B3C21292250D76CD33B9863D52A300D6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|..|..|..u.!.}..u.7.i..u.0.~..u.'.{..|..W..u.>.~..u.%.}..Rich|..................PE..L.....8R..................................... ....@..........................`......q.....@.................................."..P....@.......................P..T.... ...............................!..@............ ...............................text...>........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):216416
                                                                                                                                                                                                                                                                  Entropy (8bit):6.5890891928333435
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:8JzsVxRROApObap+CPSxzqNJ3pvfsFMV2+/SRVxy8iK:8EOb5x2NxqFMaP
                                                                                                                                                                                                                                                                  MD5:D57E38A511B607A79307F6966D5F862A
                                                                                                                                                                                                                                                                  SHA1:7F66DC176D9BDE0715A9050CAD9BA91785F7B192
                                                                                                                                                                                                                                                                  SHA-256:EF3A7B03F011CBAD96F503BF12BD151B97BAE1EACC700A7F352D175CCFDDB969
                                                                                                                                                                                                                                                                  SHA-512:72DF85067747090A20441F052796F5BCED00B4F8268568F14646A0C5A0CCD27DC87C9AFEEC689178F885CEDEE0636D61F238F36348F66E7D2EE940D09130C2C1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.5.3..<.....5.3.*..5.%.B..5.4.=..5.".k..5.2.=..5.7.=..Rich<..................PE..L....N.\...........!.........v......8........................................P......R.....@.........................@...}...\...........................`A... ......@................................T..@............................................text............................... ..`.data....>..........................@....rsrc...............................@..@.reloc.../... ...0..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):214992
                                                                                                                                                                                                                                                                  Entropy (8bit):6.578816818366091
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:1yYZVBVmekQ5ncHc43wAmaxEJg3tNqYU51pQ8DfqXF7q9B24CvJ6BAQ:1y8Vf1uTHNqYUH+8GeMvJ4t
                                                                                                                                                                                                                                                                  MD5:DDBCBCED9CCBA27D296B680D04178B1D
                                                                                                                                                                                                                                                                  SHA1:5BE1EF49678E4F9250B675DFE595DF1219DD7EF9
                                                                                                                                                                                                                                                                  SHA-256:B23B42E24EAB4E2F1DD94711EEC741F94D39F5EBAF238820A0B9D464522C24D2
                                                                                                                                                                                                                                                                  SHA-512:B913058A50A4235925F208E9FA8740DDA1A070168285401FD9C9032C0CC782887F5D92A0D68796D7473E61EE8DDC1E863503C288CAD1F99C233A0DEDE37CB314
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mX.])9r.)9r.)9r.oh...9r.oh..<9r.oh...9r. A..&9r.)9s.G9r.$k...9r.$k..(9r.$k..(9r.)9..(9r.$k..(9r.Rich)9r.........................PE..L...-..Z...........!................(C...............................................:....@.............................Y............P...............0.......`..........8...........................8...@............................................text...p........................... ..`.rdata...e.......f..................@..@.data....4..........................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):156512
                                                                                                                                                                                                                                                                  Entropy (8bit):6.590357914627137
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:Wooboos//G/jWDiNza6LR07qZ2bzl409+E/PXwCSp6WKsAqHew+1l7nkrZg8iE:WooyFiJRmbzl4mZYYqHz+1l7ki8iE
                                                                                                                                                                                                                                                                  MD5:C892519FE8AE2163C1368579EEC134F3
                                                                                                                                                                                                                                                                  SHA1:D5C75AABEDAD20373E7CA40CAF5C986C850974BE
                                                                                                                                                                                                                                                                  SHA-256:B8C8B0F1DB2CEA6FAB3EEE350143BC677DA3A1E4B246325852B8A0B94A4A77D4
                                                                                                                                                                                                                                                                  SHA-512:7A2C0C78237E8528AD691D2F7377D33FFCCA06925359CAD0B787DF919A81EDDCB9296F1EE446BDE83CECF3520A070E72BE7956838BD1337987B422127121E093
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V..V..V..._..V..V..V...Y..V...O..V...^..V...H..V...X..V...]..V.Rich.V.........................PE..L....N.\...........!.........`.......q.......................................p......(.....@.............................{.......x....0..............."..`A...@......................................P>..@............................................text...;........................... ..`.data...@2..........................@....rsrc........0......................@..@.reloc..D$...@...&..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):169312
                                                                                                                                                                                                                                                                  Entropy (8bit):6.584431984131001
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:XizpEi8PNuoyZLy39r4BRyFr8Tjqe1LP+0hORTj8i0K:XUpX8FYFyB8T2oyREtK
                                                                                                                                                                                                                                                                  MD5:4FFADA79BA20A933429F72D3B8CF61D9
                                                                                                                                                                                                                                                                  SHA1:77E7346EF7E7A31A8000150B4B0E4B21CA3BF381
                                                                                                                                                                                                                                                                  SHA-256:0FF6DD54C4DC7368BD7BAEFFA8CBD294DB31AA318F8F0FBD9088C15B61EB8854
                                                                                                                                                                                                                                                                  SHA-512:839ABEBEF1A76D168043C8DDFB6B8DF958CA89C3DF602B5B538EB6398332E785C4B0359CB6DF557252BD1191BCAC5C1E1AED6942D2848B5C898BA2FC8EF8D0B7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c....j..j..j.z...j..k...j.z...j.z....j.z...j.z....j.z...j.z...j.Rich..j.................PE..L....N.\...........!.........b......%........ ......................................O.....@.............................z............`...............T..`A...p.......................................C..@............................................text............................... ..`.data....2... ......................@....rsrc........`.......&..............@..@.reloc..t&...p...(...,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):204128
                                                                                                                                                                                                                                                                  Entropy (8bit):6.5795919533739005
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:9w8wZDxspqPfbuSqQCoSz6/e1+1FiATl8i9:fw3owojmVW0
                                                                                                                                                                                                                                                                  MD5:B4AD99DFCCB67C77F6C8E142EE5AD5BA
                                                                                                                                                                                                                                                                  SHA1:D10B7BE8A5C339185B8E409D4C0BE2103230BAA0
                                                                                                                                                                                                                                                                  SHA-256:5A280F84B70F41D90B122DBC8E8FCBDA414353CC5C87580FA30B3B51B7696207
                                                                                                                                                                                                                                                                  SHA-512:EEBC321D90737E161B452D6E27398D1CC1D4737DBE90F7FE5C407C1732178E30CD87228FB0C8B6C6F3B118DC7E46985D231F3059996452861BFCA1AD4A098077
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c!...O..O..O.z...O..N...O.z...O.z....O.z...O.z....O.z...O.z...O.Rich..O.........PE..L....N.\...........!.........h......Z}....................................... .......-....@.............................|............... ...............`A......4... ................................M..@............................................text...<........................... ..`.data....3..........................@....rsrc... ...........................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):254816
                                                                                                                                                                                                                                                                  Entropy (8bit):6.5058723884762335
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:kw+rqKMvEZF6VPvVpb1eTjLp8D3qkTmII9b9zC+l+smDP00IPWx2wUj8ii:kdrWgFEPNB+MPTHIWjP00IedH
                                                                                                                                                                                                                                                                  MD5:BB8D8CE6F052BE2BA3A39768528B88C6
                                                                                                                                                                                                                                                                  SHA1:0C2D48F22C7231C52C9FDDD35120E971ABA05EC4
                                                                                                                                                                                                                                                                  SHA-256:B61BA88D2BB36A0A56F00C455BBC530703415F176B5715E9D24FAB82CC935140
                                                                                                                                                                                                                                                                  SHA-512:EF3CED636733BCF45CE4E1D21D33F50945D6FFE2A5478A19D538A30C3071E5F78D539B0E3718EEAF404614EEE182E60AE3697E499C0D7EC769D272CD5B58CCA9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.Cr.Cr.C{.2Cy.Cr.C..C{.4Cg.C{."C..C{.3Cs.C{.%C*.C{.5Cs.C{.0Cs.CRichr.C................PE..L....N.\...........!.........................0.......................................l....@..........................(..k.......x........!..............`A.......,.. ...............................xO..@............................................text...+........................... ..`.data....@...0...$..................@....rsrc....!......."...B..............@..@.reloc...=.......>...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):248160
                                                                                                                                                                                                                                                                  Entropy (8bit):7.1098745205591625
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:AG9NqQQHPItXExQNj+mB92u+CW5D37LnuHc45X0T5/uyFNJpfUarTtvU8il:f9AP2b+mBQVJLnYlETtug5jw
                                                                                                                                                                                                                                                                  MD5:62945189F63210AFE22EC07C93A323C2
                                                                                                                                                                                                                                                                  SHA1:ADEE11D641B6BC9E9F46B95388680D291C795A33
                                                                                                                                                                                                                                                                  SHA-256:DD36F7448202BB06C634DD18F911B830615B61E9849900C7DCD92B1157F2C671
                                                                                                                                                                                                                                                                  SHA-512:B62D7E7668F2E02330690D373EFB815FBBBD12E771FDB4EA46EDA8386AB8A969DB40158132F8C15ACA65C87CDF8920D46075055BB9B73DF42FD49777DF7EB6BD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................_.........B....Y......O.....^......H.....X......].....Rich....................PE..L....N.\...........!.........t...............@............................................@.........................p<..|...<1..........................`A..........P................................C..@............................................text....,.......................... ..`.data...@2...@.......2..............@....rsrc................H..............@..@.reloc...*.......,...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):258400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.288592681682295
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:I3LIl4XgsSVloTnPYdn7lJZRZ8QXqsJ3H+:IUlJVmgh5asJ3+
                                                                                                                                                                                                                                                                  MD5:372C4A2430E2BF3E0A3C0D51996ADEA5
                                                                                                                                                                                                                                                                  SHA1:F6F2F8D750D08BE940AE2B655804C106E9C7491D
                                                                                                                                                                                                                                                                  SHA-256:FE632C826ABA5F694DE6684506B72BDECBFD712E9DE2ACDDDE1F2C880EE2646B
                                                                                                                                                                                                                                                                  SHA-512:C017A180893D39463068DA5DF647D959603CEE7979CA420963FEF9D09309FCA0B744D7268DC2A0FC4AFCD41F912714CF14003CC9AC5FB6A033AA91962E9981C3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.V.z`8.z`8.z`8.s...{`8.s...u`8.z`9..`8.s...s`8.s...O`8.s....`8.s...{`8.s...Y`8.s...{`8.s...{`8.Richz`8.........PE..d....N.\.........." .....H................................................................@..........................................U..}....J...................)......`A......`...@................................................................................text...-F.......H.................. ..`.data....O...`...*...L..............@....pdata...).......*...v..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):237008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.30179636306813
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:B+2HsTNg3ex5PUwoEK2dvK7PnGxOkf9V3QhjTvI9Nle9owmPDXpUIJonb:BDHsT2qvoEKMAGxOkVJQhjTAEgY
                                                                                                                                                                                                                                                                  MD5:7DD3CA728E061F9C438209935DF41FD8
                                                                                                                                                                                                                                                                  SHA1:D291C17619FB2E9B8A4CF07B53A56DC60CFB4C8E
                                                                                                                                                                                                                                                                  SHA-256:F19F300E4623E3B57F870D8E4B150F2E70D29E6CB47750671D53667BB0804202
                                                                                                                                                                                                                                                                  SHA-512:E7D0AB0EB37F6B245B1EBDE46C2D9184AB801EB659E4F4ED7C2AFD07843A1646612290AD3C315EE9BF7FC1A9425B58E2A03810014DDBB621EB46B331AA2E753E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w..w..w...&..w...&..:w...&-.w..c.9.w..w...w..%..w..%..w..%).w..we.w..%,.w..Rich.w..................PE..d...+..Z.........." ................|N..............................................;.....`.........................................`;..Y....;..................0!..............T...@...8...............................p............................................text...[........................... ..`.rdata..............................@..@.data....?...P.......8..............@....pdata..0!......."...T..............@..@.rsrc................v..............@..@.reloc..T............~..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):178016
                                                                                                                                                                                                                                                                  Entropy (8bit):6.354805848687379
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:X0fRIF+SwIL9Bagg2mCEPToX/ITpu0uOpDSgb2WXa+qubG8iu:EfaCIJbglCe1Vu0uIDSlWtf
                                                                                                                                                                                                                                                                  MD5:D16039589730B0C6E6B5227C041FB1B4
                                                                                                                                                                                                                                                                  SHA1:F8F942DBB62CBC15F7ED0BE8750C9C564638FBF8
                                                                                                                                                                                                                                                                  SHA-256:ACA0DF6F5EB1DE40506943B30BBDA614F886523C093F5C9A3587C3E1161F0DF0
                                                                                                                                                                                                                                                                  SHA-512:35ED0D4AD06E4979970CA2AD58B81735E50AAB755605216BB059EBE698B82F6C627F5F7E29ADC9FB3BC58C7EFB4E8ACA2B323F2E2813D4EA7EE39363DE0E1D64
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#U..pU..pU..p\..p^..pU..p8..p\..pT..p\..p\..p\..pe..p\..p"..p\..pT..p\..pA..p\..pT..p\..pT..pRichU..p........................PE..d....N.\.........." .....*...j......................................................K.....@.........................................`8..{.......x....................v..`A..........p................................................................................text....(.......*.................. ..`.data....?...@......................@....pdata...............L..............@..@.rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):196448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.349185940783631
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:lSUAV0AVZrAVOVrHYapV5Ddr1oxkg9gh0CBEACcodM5nY+WVFGoEM8ip:AvPb6OVrVNJ1ufqBEACjG/Y
                                                                                                                                                                                                                                                                  MD5:A88901EB863EC013B461A84DACB4C795
                                                                                                                                                                                                                                                                  SHA1:40303F44732A2C8DBEAF4EC13CD32FCED66D8F8A
                                                                                                                                                                                                                                                                  SHA-256:FF295F8914F76DFE707455FE633BFC42B805BB4D3274C2290E1E5D56A383E969
                                                                                                                                                                                                                                                                  SHA-512:92BD7F2CE6DB83A744972503B4352ADC210FE10C0BDC026F953A925361365E95B79A4A1CEF3677266AE7178FAC24AA64A353115362E987F1DFD84BA38A6F9B25
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...Z...Z...Z......Z...[..Z.......Z.......Z......Z......Z.......Z......Z.......Z.......Z.Rich..Z.................PE..d....N.\.........." .....n...n...........................................................@.........................................0}..z....r..........................`A..............................................................X............................text....m.......n.................. ..`.data....?...........r..............@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):253792
                                                                                                                                                                                                                                                                  Entropy (8bit):6.319719994714089
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:NuctDSdRbMOiymM/Cufn5B+1jowgreeTwcV1:NqXMOFmA5VwgBEg1
                                                                                                                                                                                                                                                                  MD5:668A98269B12A2C17E39137AC8D7B716
                                                                                                                                                                                                                                                                  SHA1:E438E9031338158FE70B9D7821200DC4929380CA
                                                                                                                                                                                                                                                                  SHA-256:200D323E0842ABC93E22F6D475928AB0DAC6AA9F3824CF8E729E8049852AC54A
                                                                                                                                                                                                                                                                  SHA-512:E2E425489A084022AE23AF65D4869B24A247E3159DA5ED4E31B0CDB11C0BE30AF9EEA12ECF68F9C8269B60ECC1BB489F3EFDE00F4F8885AA2631EFAB3E54BCBC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kNgi//.://.://.:&W.: /.://.:R/.:&W.:./.:&W.:&/.:&W.:./.:&W.:W/.:&W.:./.:&W.:./.:&W.:./.:&W.:./.:Rich//.:................PE..d....N.\.........." .....>...~......`................................................8....@..........................................L..|....@.......... ........*......`A...........................................................................................text....=.......>.................. ..`.data....A...P... ...B..............@....pdata...*.......,...b..............@..@.rsrc... ...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):342368
                                                                                                                                                                                                                                                                  Entropy (8bit):6.187004427741537
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:T7NLhV1jxjcVfgFf6QlJpYw4MxuiMRZI7CPdxV4eZ+PyRPP00I7Q:T71j1aVfgFiQ/ug/GMQ
                                                                                                                                                                                                                                                                  MD5:96BDC666BCD7D432D6C7D4170C8E6046
                                                                                                                                                                                                                                                                  SHA1:1B705A191731ECA3369435D9906C8275C5D326C2
                                                                                                                                                                                                                                                                  SHA-256:DC4C32919B533A79D9EA76BDE59975DD149AA9C7B7278B076019C080A3A97C56
                                                                                                                                                                                                                                                                  SHA-512:DDD9E42633F98A7E5F6F7E3E4571815F9D80EA16084B23A82DBE22E929FD6F0BD791EB3DFA7BB229D73D101C66077C99FE47A5CEAB1DF6917A6E4DF209853162
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f2Ji.aJi.aJi.aC..aKi.aC..aAi.aJi.a?i.aC..aCi.aC..azi.aC..a>i.aC..aKi.aC..aci.aC..aKi.aC..aKi.aRichJi.a........................PE..d....N.\.........." .....P...........N.......................................@......~d....@..........................................]..k....S..x........!.......:......`A...0..........................................................P............................text...[N.......P.................. ..`.data....V...`...6...T..............@....pdata...:.......<..................@..@.rsrc....!......."..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):282464
                                                                                                                                                                                                                                                                  Entropy (8bit):6.880530047125276
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:tj4c/JPjXOQTuGkfIpmWpnETJLnYlETtuwv:tj4cBbEZTTJDY+jv
                                                                                                                                                                                                                                                                  MD5:F26D954E0F23049CAA4F698934DB5371
                                                                                                                                                                                                                                                                  SHA1:B0FC39DFF9871778A767B95F0D1CD6E56F939071
                                                                                                                                                                                                                                                                  SHA-256:186500D4E31ADF5FA2DC02F112EDE6FCA86C1BC48731EA224CFE83C160ABD1CD
                                                                                                                                                                                                                                                                  SHA-512:BF79667EC9E85FCC6214BB8B3352DCF4B43A042708F471C293B507574A446D938C4E5981C6E9FA4E81AF98A91B6A72CB678F06B91E064F3FCA48744DC0DFF94F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}?...QH..QH..QH.d.H..QH..PH?.QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QHRich..QH................PE..d....N.\.........." .........................................................`...........@.............................................|............0...........$......`A...P......`................................................................................text............................... ..`.data....>..........................@....pdata...$.......&..................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):870
                                                                                                                                                                                                                                                                  Entropy (8bit):5.164710229415834
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:kcrGqwAcK/EyAZRVowyyAcK/E2kam0LYDeegidym0EZkBqq6JFpYpFSqq6JFrmp5:BrWWFwD7WR8mI/xOZE
                                                                                                                                                                                                                                                                  MD5:50B0957220D10275274CAC025EAA6883
                                                                                                                                                                                                                                                                  SHA1:8F677ED1CD73A05F634AA06AD6BED1DA4C6BD80F
                                                                                                                                                                                                                                                                  SHA-256:B76D74AEC705A3F9FD055307A966777ADB279FB06D03524C992E608FE73AEB22
                                                                                                                                                                                                                                                                  SHA-512:C62DAAC3AC516500D819718BF5697D948B6EB684276A21A80E6E9C26FE5F1D0593D7FE281702D3BC48D2A1897B0EB7BD910CEE0978950C0F6636FB86E72B6BD3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....\utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):882
                                                                                                                                                                                                                                                                  Entropy (8bit):5.192332970304343
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:kcrGqwAcK/EyAZRVowyyAcK/E2kam0LYDfyegidym0EZkBqq6JFpYpFSqq6JFrm7:BrWWFwD7WR8fCI/xOZE
                                                                                                                                                                                                                                                                  MD5:16BBC22B18C5325649C98DD02F3DDDBF
                                                                                                                                                                                                                                                                  SHA1:B6F97171D20CBC84DEDB07C304F92B25B5A08450
                                                                                                                                                                                                                                                                  SHA-256:8C3BED319076C7B27FB5D9CD7DCE31E8EE09624E191BC3D709962426FB12951A
                                                                                                                                                                                                                                                                  SHA-512:293E8BF93A22021FD80AA95A30965287BF40F5030DA457BC16D004E86C3B3FF8983DA8C0D743A42F1CBF935A2EB8E1CB5FCB488914B51330686B2C60BD1C71B9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....\utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\p_mount.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):214
                                                                                                                                                                                                                                                                  Entropy (8bit):4.631936044721133
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:Hjsm6y9jcK/ES2d6y9jcKZS2bVXzLYwkrnRS2n:DWAcK/EyAcKZRVowyh
                                                                                                                                                                                                                                                                  MD5:88E59700F53DE95D2847B9687764BE30
                                                                                                                                                                                                                                                                  SHA1:CD5780DBF1C711B9C28DC001F4149BA3251BECF7
                                                                                                                                                                                                                                                                  SHA-256:B085F4E0D6A7A4DC967C96D7C318CB749BC497135FD9E35D7AD0C88E6C53F577
                                                                                                                                                                                                                                                                  SHA-512:6E7D2FD4CF87B63BAB39E225362ECBE60F52FAB0DA42C97834B8EA59D653CDBD06B98E2C490C5465B1999AF2F7869F729CBFC34E55D5ECC768D85D48B9874374
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:cd %~dp0..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\p_unmount.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):203
                                                                                                                                                                                                                                                                  Entropy (8bit):5.068283784998216
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:mKDDQFGCTWYdym6F9K2MLgZ+X0KcK/F+N7oaf/DEd7/JQF9K2MLgZ+X0KcK/FvK2:hsICTJ6y9jcK/ePD0Sy9jcK/ES2uz
                                                                                                                                                                                                                                                                  MD5:FA3C191799254E542687F1F5D0974BC5
                                                                                                                                                                                                                                                                  SHA1:DC85AAC2AA31CD3DE9017E7E099581457AD4FBF2
                                                                                                                                                                                                                                                                  SHA-256:347B12E6E2FC79E2A3668625341D7642D531159FFE5B01AB2BC5469E0EFC6B3F
                                                                                                                                                                                                                                                                  SHA-512:635689814E63084910541BA68FE8ADE8FDFBC3D0100AFD61DDD13D07E61F3478BA75E4D24AA7B26DF21A3E46C4ED2B1C8789520C5634CAC63CFE32DCB1E8686E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:@echo off....IF [%1] == [] GOTO RunDefault....rundll32 printui.dll,PrintUIEntry /q /dl /n %1..GOTO :EOF....:RunDefault...rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"...GOTO :EOF

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\stprinter.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):19851
                                                                                                                                                                                                                                                                  Entropy (8bit):6.774813122930257
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:UelM68cpgw3otOCxH50u4RkeelMpSfpd/CJHJ2elMSJfApwtNJKGT1hvJNMvIqvQ:EWtO5smIwg9Zh3q8pUclGNbc
                                                                                                                                                                                                                                                                  MD5:1D56A3F8D7F5DAB184A8CC4FEDDAA173
                                                                                                                                                                                                                                                                  SHA1:75D291CB96FDC05D54C962F1CB08796EE439B22F
                                                                                                                                                                                                                                                                  SHA-256:84E1A32B4975E92477CF6A36D8931921DA735EF988E0C09A2B056F2904541B1E
                                                                                                                                                                                                                                                                  SHA-512:FB58167A98D9309A703F06D5C6414AB707B37E90A26BFC1C0812B10381C116FA6C7C26AC30FC8570B8F87186775BC64E7AF6D409A7D213FC3B4B76B0B7A76FB6
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.M...*.H........Mx0.Mt...1.0...`.H.e......0.)...+.....7....).0.).0...+.....7.......m...G..|.O.p...190419044412Z0...+.....7.....0.(.0.... ....z.sXce...j.....Z.j.R...Z.#/.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........x.d.s.m.p.l.u.i...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....z.sXce...j.....Z.j.R...Z.#/.0.........w...'p....%.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...08..+.....7...1*0(...F.i.l.e........x.d.b.o.o.k...d.l.l...0.... ...v...f..t..t........n.....d.*1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........x.d.w.s.c.r.g.b...i.c.c...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ...v...f..t..t........n.....d.*0.... ..T...x....0.DU._........z.^...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........x.d.p.g.s.c.l...g.p.d...0U..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\stprinter.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2793
                                                                                                                                                                                                                                                                  Entropy (8bit):5.507689832444162
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:JQUio6uDhMM/s4244P8/CW2T8/C0kApvgJCrC1sJCr+6pqEsXncT9tuhcOYEZ53t:JQUiRKhMostT9Ap4sr4ssraXx
                                                                                                                                                                                                                                                                  MD5:313535621266212971E303AF0AF4FE21
                                                                                                                                                                                                                                                                  SHA1:D81F9D3F7B638DE5EFCA0ECB0162A76485E2C2BF
                                                                                                                                                                                                                                                                  SHA-256:0B60A283CB98034CEE13118BF1F885A644479CC6F4B19D9E4D24A5FEC6064A1F
                                                                                                                                                                                                                                                                  SHA-512:8A1A716A2CAD85410F009EE0CDF570F4CA36E3A182927CA5B836F3FC0BEE466F0C4E8B583694A6A4014CE60C45A2439119BF0C1ADDA0ED168053E9F08A6DF608
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[Version]..Signature="$Windows NT$"..Provider=%splashtop%..ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}..Class=Printer..DriverVer=04/19/2019,10.0.10012.16386..CatalogFile=stprinter.cat....[Manufacturer]..%splashtop%=Vendor,NTx86,NTamd64,NTx86.6.0,NTamd64.6.0....[Vendor.NTx86]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTamd64]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTx86.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[Vendor.NTamd64.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[INSTALL_XDSMPL_FILTERS_PRE_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..PrintProcessor="MS_XPS,filterpipelineprintproc.dll"..ConfigFile=UniDrvUI.dll..HelpFile=UniDrv.HLP..DataFile=XDSmpl.GPD..Include=NTPRINT.INF, MSXPSDRV.INF..Needs=UNIDRV.OEM, XPSGPD.OEM, XPSDRV.OEM....[INSTALL_XDSMPL_FILTERS_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..Confi

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2561
                                                                                                                                                                                                                                                                  Entropy (8bit):5.431790187193416
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2uMRFNu4TMlWoDqFNQ29ZNlV2MK712DJNzaMR1X2kKJzgSZwlQXV2MK71euV2MKo:QFQ4SDC66ZLq7UAq7zq7E
                                                                                                                                                                                                                                                                  MD5:AD8561D2E73AFD63F5A088972D435467
                                                                                                                                                                                                                                                                  SHA1:FA7F53A308C00B0C5E1ACE95489658840EAF13A3
                                                                                                                                                                                                                                                                  SHA-256:68C4AF8BB6C4FB75CFA95739DF4E3B288DBBFB141E6851275E2F9EFFCA893015
                                                                                                                                                                                                                                                                  SHA-512:AA240EFD0EFD508CE48D444997E65DE8A36DE321764196C294F1366A77C3D30AEA6BF31AF53C7644BD3D027284B266D06D0B574E69598D50D44005718F3F2178
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....\utils\DIFxCmd.exe /u stprinter.inf >> inst.log....\utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows NT x86\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\3\xdbook.dll"..del /F

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2519
                                                                                                                                                                                                                                                                  Entropy (8bit):5.407961236238507
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2uMRFNu4TMlWSDqFNQ4ZNlV2MK71AynXV2MK71euV2MK7153w3uV:QFQ4SJC64ZLq7xq7zq7Z
                                                                                                                                                                                                                                                                  MD5:5FD0095B7389DBEDA4EC394C06AC4657
                                                                                                                                                                                                                                                                  SHA1:7C5D1C3E2B062F6E993AB34292749B03FD7007A8
                                                                                                                                                                                                                                                                  SHA-256:692FE4C899554BBFA0A05A0183F46C23A24E48FB4371DC0863B7A24452FE5252
                                                                                                                                                                                                                                                                  SHA-512:F38926653AF960FE11AD843E7C89BB9DC62C29225D2DF10B0CA9BA4F668637BE053778EE726F42A2DC76FA801593A08A69DE4CDEFCB9BE037CA094D34773A8D6
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....\utils\DIFxCmd64.exe /u stprinter.inf >> inst.log....\utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\x64\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\x64\3\xdbook.dll"..del /F /Q "%W

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdCMYKPrinter.icc

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Microsoft color profile 2.2, type lino, CMYK/Lab-prtr device by MSFT, 849080 bytes, 10-5-2006 15:02:14 "Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile f"
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):849080
                                                                                                                                                                                                                                                                  Entropy (8bit):6.924819797081704
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:nupHTMj2vkdYa+kYfwx+rbgal21W0M5SU1yr2U5fOFQw8LHxrLiYJVarTH46xL1F:upgavkz+UIUBRm020G7
                                                                                                                                                                                                                                                                  MD5:8EE08E7B69A5F2ECA6BB3A5EEDB48649
                                                                                                                                                                                                                                                                  SHA1:FF7CFA21BDCB220EC0450E76A1C2AB0854CAEBD6
                                                                                                                                                                                                                                                                  SHA-256:2B215C1FA5CAA10582BDAFE6B51A911C9D8B2B0B456EEEFF955064FDC3844D98
                                                                                                                                                                                                                                                                  SHA-512:12AEA33F800D5203811DE1FFA1181BD1B8A58C54BD52A9D2BF7A4084CC2BBC52C9E74E9434C41C6B1EB2CA451E81D5E11B3CE6B827BA4B0F14927EB4FAD62FF0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:....lino. ..prtrCMYKLab ............acspMSFT...................................-MSFT................................................desc........cprt.......1wtpt...,....A2B0...@....B2A0........A2B1...@....A2B2...@....B2A1........B2A2........gamt..^.....MS00...P..gfdesc........Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos...enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .C.M.Y.K.P.r.i.n.t.e.r...c.d.m.p.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......c........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdbook.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1808
                                                                                                                                                                                                                                                                  Entropy (8bit):4.525972600570173
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:FCDZkHSs9/9QltHlRIORmRCjR73RpRvrmRCgORmRCjR73RpRS:sDuH87FRDRmRCjRrRpRvrmRCbRmRCjRI
                                                                                                                                                                                                                                                                  MD5:9303837EFF41196B0FC3D6AD46FE43AF
                                                                                                                                                                                                                                                                  SHA1:9AFBCA730F3A98C5C43AC1AF156BCD6C3CE366E5
                                                                                                                                                                                                                                                                  SHA-256:ABD2E8A90B9949D61DF21DF88AED7040542555A0228BB0B375439F8488A06294
                                                                                                                                                                                                                                                                  SHA-512:9F8C9956CEB14B7A275B346A48A1C010DEB23D94BAB4E0FFD395D23B5573533EB80630092CA6A458D33762E55C260752CA294B5E0632179ECC18F17A0B961D55
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdbook.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Booklet specific GPD settings...*%....*%******************************************************************************..*% JobBindAllDocuments..*%******************************************************************************..*Feature: JobBindAllDocuments..{.. *rcNameID: =IDS_GPD_JOBBINDING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: BindLeft.. {.. *rcNameID: =IDS_GPD_LTOR.. }.... *Option: BindRight.. {.. *rcNameID: =IDS_GPD_RTOL.. }.... *Option:

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdcolman.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2718
                                                                                                                                                                                                                                                                  Entropy (8bit):4.658165462032682
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:FCDZkHSs9/9xmSx8iZR/+eRxSRURJPRo/8nRFGR7RrXh8TpR9KbzkR5BMLkRWkc4:sDuHN/DRFRkRURJPRo/ARYR7Rrx+R98+
                                                                                                                                                                                                                                                                  MD5:3F80884F3D1F3B9D5D3C7279131ECB4D
                                                                                                                                                                                                                                                                  SHA1:17AB016E8AFA453B5A7DA19A6F2AB6AE0B3D78F4
                                                                                                                                                                                                                                                                  SHA-256:4D09EE22E6A9BFB33E13F5391830FFDA13A572DC6DA1E22D1DEE3D4CAD7BBBD9
                                                                                                                                                                                                                                                                  SHA-512:363579BDE28329209801FFA7EE0A3A5DD4278886453221768D2F3D7A1ECFE348884004FA08F9B6006E35A6098B72F1738B7B425C9AC8F5F2ACBDC5FD26EEA50A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdcolman.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Color Management specific GPD settings...*%....*%******************************************************************************..*% PageColorManagement..*%******************************************************************************..*Feature: PageColorManagement..{.. *rcNameID: =IDS_GPD_PAGECOLMAN.. *DefaultOption: None.. *PrintSchemaKeywordMap: "PageColorManagement".... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. *PrintSchemaKeywordMap: "None".. }.... *Option: Device.. {.. *rcNameID: =IDS_GPD_D

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnames.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):6871
                                                                                                                                                                                                                                                                  Entropy (8bit):4.6709110049190015
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:sDuHL5cq9ORGELoQ+4JH3U/y5EDeP8N4f6TfSqXYY0s9DOS:3HL5G0Ex+AX0yAePzO0S
                                                                                                                                                                                                                                                                  MD5:9196C9FAF999C94DA04F4679E823D753
                                                                                                                                                                                                                                                                  SHA1:BF4445CFF27EC04248BB645C74AAAF6B1EE95B6D
                                                                                                                                                                                                                                                                  SHA-256:411DFDB99C624831D1E755AD5D861ECE1C2EFCEF23A6C7F89F6C2BA251BBED0A
                                                                                                                                                                                                                                                                  SHA-512:94A3C1F51B03A91220F9AEF9D8BDDAB6DAD74BE971D5D16B5B308DC5403DE1AFCB3A8D40E0F48CEC1834DE596192BED99C78B03B2538A9594B99347B589650B1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnames.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver GPD resource names...*%....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }.. *Option: xdsmplui.. {.. *Name: "xdsmplui.dll".. }..}....*Macros: StdFeatureNames..{.. IDS_GPD_1PPS: RESDLL.xdsmplui.2000.. IDS_GPD_2PPS: RESDLL.xdsmplui.2001.. IDS_GPD_4PPS: RESDLL.xdsmplui.2002.. IDS_GPD_6PPS: RESDLL.xdsmplui.2003.. IDS_GPD_8PPS:

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnup.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4068
                                                                                                                                                                                                                                                                  Entropy (8bit):4.508459493570281
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:sDuHqDYRxRGRDRPRbRERfRSdg9Re9RxjR4RURFRjjRkRSRA1sogRyRGRDRPRbREN:3HqZtgst0P
                                                                                                                                                                                                                                                                  MD5:CFFD55A27BDF496CABE9C41E80A42A72
                                                                                                                                                                                                                                                                  SHA1:09225D86A48948152DE3AF346491B893579253CA
                                                                                                                                                                                                                                                                  SHA-256:D0B69D3877190BFAFCADB90D9D4F6C81DA15CD5E3CBE45BAB4E60BC812FF32C0
                                                                                                                                                                                                                                                                  SHA-512:D1F0A7C72657897B2394D8C166D4E079CAB6CC3BE35621A8B014F541A1A73245DDD0865C4AE810E1784AC973AEA0419F7DFC42DA42A5B81284B539DC0A24EB29
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnup.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver NUp specific GPD settings...*%....*%******************************************************************************..*% JobNUpAllDocumentsContiguously..*%******************************************************************************..*Feature: JobNUpAllDocumentsContiguously..{.. *rcNameID: =IDS_GPD_JOBNUP.. *DefaultOption: 1.. *PrintSchemaKeywordMap: "JobNUpAllDocumentsContiguously".... *Option: 1.. {.. *rcNameID: =IDS_GPD_1PPS.. }.... *Option: 2.. {.. *rcNameID: =IDS_GPD_2PPS.. }.... *Option: 4.. {..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdpgscl.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2522
                                                                                                                                                                                                                                                                  Entropy (8bit):4.708364933060842
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:FCDZkHSs9/9Ydp88+qRIOR3NRXRAR6R5eR7RZboRaYipRazRapjRafRa6RamRaRA:sDuHco4RDR3NRXRAR6R5eR7RZboRaYuY
                                                                                                                                                                                                                                                                  MD5:F492FC30EFAE3C1548C17D4419E37778
                                                                                                                                                                                                                                                                  SHA1:887F31639800999D7225AF1EE3F26B601D726401
                                                                                                                                                                                                                                                                  SHA-256:08FF54CC8DC7E978B8129017307F4455025FC37F891A9EE6CAD37ADA5EB0CEC7
                                                                                                                                                                                                                                                                  SHA-512:0F354DBC8B430B168EBAA1BBBAE48DFC6DD285912C1324673BD04AFBDD2947CC3BA8448B440337655377A43A40DC9592CDE26F71A635EEB12746877971C5519D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdpgscl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver page scaling specific GPD settings...*%....*%******************************************************************************..*% PageScaling..*%******************************************************************************..*Feature: PageScaling..{.. *rcNameID: =IDS_GPD_PAGESCALING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Custom.. {.. *rcNameID: =IDS_GPD_CUSTOM.. }.... *Option: CustomSquare.. {.. *rcNameID: =IDS_GPD_CUSTSQUARE.. }.... *Option:

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl-PipelineConfig.xml

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2476
                                                                                                                                                                                                                                                                  Entropy (8bit):5.158189280019379
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:qDG8kHYKsJyhBk//ojAd+6IG0c9RLN0KUvfaZhcLNhpMubDUHeLNq63PfaZhcLNM:qDhkHtsI4aV46+ZhOb2tZhzZh7jZh/v
                                                                                                                                                                                                                                                                  MD5:B628B4F8CC199D26E18FE27BD4A29BBD
                                                                                                                                                                                                                                                                  SHA1:CBB6FB510D708AE85CC0F715617BCD788A613727
                                                                                                                                                                                                                                                                  SHA-256:12DCC665FDEFEE3D3D771F5727F86FB812C606FCE0E7A3DA943A2072295D2984
                                                                                                                                                                                                                                                                  SHA-512:825E8583B140C3CA5C44669AAAEF7654A90977F15FD0959FC17DEE30E18C3275EDFE2366A5C90CE707AF28951A56194CBA0CBEE6967CD95FA9CA8CFD6EF189F3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview: ....Copyright (c) 2005 Microsoft Corporation....All rights reserved.....THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..PARTICULAR PURPOSE.....File Name:.... xdsmpl-pipelineconfig.xml....Abstract:.... XPSDrv sample driver filter configuration file. This identifies the.. filters that comprise the filter pipeline and their order.....-->....<Filters>.. <Filter dll = "XDWMark.dll".. clsid = "{B8B525BF-F147-460a-B2D5-9DFB1F30D0FD}".. name = "Watermark filter">.. <Input guid = "{b8cf8530-5562-47c4-ab67-b1f69ecf961e}" comment="IID_IXpsDocumentProvider"/>.. <Output guid = "{4368d8a2-4181-4a9f-b295-3d9a38bb9ba0}" comment="IID_IXpsDocumentConsumer"/>.. </Filter>.. <Filter dll = "XDScale.dll".. clsid = "{976EDCE4-274E-482a-97

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11986
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7262628705263445
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:3HDc4F4V4U4k4v4g4L4wfyPUc5Bn+vjdQjNuDVjFfJCk72sI/72sIPTZGjo2D:KyPUc5Bn+bdsN4jFfJR25T25wZ
                                                                                                                                                                                                                                                                  MD5:E1F2A2FD0D41438A375F0DDC1822AA7C
                                                                                                                                                                                                                                                                  SHA1:267F8BFFABCCA4D46556519C105C0C6055B6F6D0
                                                                                                                                                                                                                                                                  SHA-256:606E0918952F5441D31F5335F09FD6AACAE0A5850A0174280FF34F6772A0B768
                                                                                                                                                                                                                                                                  SHA-512:1CF4B1E989819ECB134DCBD9C842F69D97A4949ED319D712BF14729C8A0BE0FF22122E3FADC4F4B2A86916F5EBF717E5CCE6E7620DD90EA73551CB523703EC0C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdsmpl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver main GPD file...*%....*GPDFileVersion: "1.2"..*GPDSpecVersion: "1.2"..*GPDFileName: "XDSmpl.gpd"..*Include: "msxpsinc.gpd"..*Include: "StdNames.gpd"..*Include: "xdnames.gpd"..*Include: "xdwmark.gpd"..*Include: "xdbook.gpd"..*Include: "xdcolman.gpd"..*Include: "xdnup.gpd"..*Include: "xdpgscl.gpd"..*ModelName: "XPSDrv Sample Driver"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 1....*%*********************************************************************

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):475
                                                                                                                                                                                                                                                                  Entropy (8bit):5.248799523355892
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:fp+BF8aNytrHLCSKsSHUJhGbkxIESnPEcF4RqWo40nUv:fp+D8MkHLNKsSyh2kBoP3FsqA02
                                                                                                                                                                                                                                                                  MD5:2EFCEBC23D661F3BFA0A4A4BE0588466
                                                                                                                                                                                                                                                                  SHA1:1ED92AEC943CFE143A7DBBCE2A82141D67FB9169
                                                                                                                                                                                                                                                                  SHA-256:DC50AFD088B0D72935D0CDF8F99071A7C80A4979BC9AF915016DD847F222EBE9
                                                                                                                                                                                                                                                                  SHA-512:FC1FF31E2CBFA1BC8A825548C6C4661236FAF12D8B75F25010E783DE116FC48B61F0188A4673C2C60A52181F6E7F0EFE39BF9B0A7D35B1937EC02B97FCCB7955
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:;..; Copyright (c) 2005 Microsoft Corporation..;..; All rights reserved...;..; THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..; ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..; PARTICULAR PURPOSE...;..; File Name:..;..; xdsmpl.ini..;..; Abstract:..;..; XPSDrv sample driver configuration file for UI plug-in...;....[OEMFiles]..OEMConfigFile1=xdsmplui.DLL......

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdwmark.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1554
                                                                                                                                                                                                                                                                  Entropy (8bit):4.555759044915239
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:FCDZkHSs9/9Tmm8LYReOR1RwrRpRajx8LZRzQRVRC:sDuHnmmoYRVR1RwrRpRajxoZRcRVRC
                                                                                                                                                                                                                                                                  MD5:C922269B15071195905ACE600AC9B02C
                                                                                                                                                                                                                                                                  SHA1:BCC559EBBFCAC61A67905B5DBB9D3E8E27D413E5
                                                                                                                                                                                                                                                                  SHA-256:2FC61A7629E0382699E8178AC8131666BB1BADA65F9B7AC738E7620C1D3A4E40
                                                                                                                                                                                                                                                                  SHA-512:C4ACE0F94150ED02580A365798981FD30484B3E13576624620377F077AD4A6C0AA06ED3DBC1B8A64406F357321A9AD027A1A12D9C98A407D27B58CA857D74E84
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdwmark.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver watermark specific GPD settings...*%....*%******************************************************************************..*% PageWatermark..*%******************************************************************************..*Feature: PageWatermarkType..{.. *rcNameID: =IDS_GPD_WATERMARKTYPE.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Text.. {.. *rcNameID: =IDS_GPD_TEXT.. }.... *Option: Raster.. {.. *rcNameID: =IDS_GPD_RASTERIMAGE.. }.... *Option: Ve

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdwscRGB.icc

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Microsoft color profile 2.2, type lino, RGB/Lab-spac device by MSFT, 124856 bytes, 10-5-2006 12:14:35 "Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut M"
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):124856
                                                                                                                                                                                                                                                                  Entropy (8bit):6.796177094859484
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:wq47C9ZJMKkyYHlMRyu2FK0MjUq2mX14F4Q7asMM06KI:w29bMPyASyumQwmleHf91
                                                                                                                                                                                                                                                                  MD5:45CC4B43673056B8625ADD43EFDF33DD
                                                                                                                                                                                                                                                                  SHA1:2A7E28C7696CAF775344A31A23DCDADF15A5F1BD
                                                                                                                                                                                                                                                                  SHA-256:089BE57682C9F866DCCE74E1D174AA9816BC0992C1CE6EC01E03958964EF852A
                                                                                                                                                                                                                                                                  SHA-512:08A1FEA06EED5B874BE487F0F523ADCB98262FFA7158F54A724963827ACBF6318EEE99948AEB999C6F6EF875EA04E2B2377CBE623BB4679FB90BE785C75560DC
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...lino. ..spacRGB Lab ...........#acspMSFT...................................-MSFT................................................desc......."cprt.......1wtpt...$....A2B0...8...ZB2A0.......ZMS00..U.....desc........Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos.enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .s.c.R.G.B. .v.i.r.t.u.a.l. .d.e.v.i.c.e. .m.o.d.e.l. .p.r.o.f.i.l.e.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......T........mft2................................................BeBwB.B.B.B.B.B.B.C.C.C"C3CECVCgCxC.C.C.C.C.C.C.D.D.D$D5DFDWDhDzD.D.D.D.D.D.D.E.E.E%E6EHEYEjE{E.E.E.E.E.E.E.F.F.F'F8FIFZFlF}

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdCMYKPrinter.icc

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Microsoft color profile 2.2, type lino, CMYK/Lab-prtr device by MSFT, 849080 bytes, 10-5-2006 15:02:14 "Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile f"
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):849080
                                                                                                                                                                                                                                                                  Entropy (8bit):6.924819797081704
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:nupHTMj2vkdYa+kYfwx+rbgal21W0M5SU1yr2U5fOFQw8LHxrLiYJVarTH46xL1F:upgavkz+UIUBRm020G7
                                                                                                                                                                                                                                                                  MD5:8EE08E7B69A5F2ECA6BB3A5EEDB48649
                                                                                                                                                                                                                                                                  SHA1:FF7CFA21BDCB220EC0450E76A1C2AB0854CAEBD6
                                                                                                                                                                                                                                                                  SHA-256:2B215C1FA5CAA10582BDAFE6B51A911C9D8B2B0B456EEEFF955064FDC3844D98
                                                                                                                                                                                                                                                                  SHA-512:12AEA33F800D5203811DE1FFA1181BD1B8A58C54BD52A9D2BF7A4084CC2BBC52C9E74E9434C41C6B1EB2CA451E81D5E11B3CE6B827BA4B0F14927EB4FAD62FF0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:....lino. ..prtrCMYKLab ............acspMSFT...................................-MSFT................................................desc........cprt.......1wtpt...,....A2B0...@....B2A0........A2B1...@....A2B2...@....B2A1........B2A2........gamt..^.....MS00...P..gfdesc........Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos...enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .C.M.Y.K.P.r.i.n.t.e.r...c.d.m.p.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......c........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdbook.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1808
                                                                                                                                                                                                                                                                  Entropy (8bit):4.525972600570173
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:FCDZkHSs9/9QltHlRIORmRCjR73RpRvrmRCgORmRCjR73RpRS:sDuH87FRDRmRCjRrRpRvrmRCbRmRCjRI
                                                                                                                                                                                                                                                                  MD5:9303837EFF41196B0FC3D6AD46FE43AF
                                                                                                                                                                                                                                                                  SHA1:9AFBCA730F3A98C5C43AC1AF156BCD6C3CE366E5
                                                                                                                                                                                                                                                                  SHA-256:ABD2E8A90B9949D61DF21DF88AED7040542555A0228BB0B375439F8488A06294
                                                                                                                                                                                                                                                                  SHA-512:9F8C9956CEB14B7A275B346A48A1C010DEB23D94BAB4E0FFD395D23B5573533EB80630092CA6A458D33762E55C260752CA294B5E0632179ECC18F17A0B961D55
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdbook.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Booklet specific GPD settings...*%....*%******************************************************************************..*% JobBindAllDocuments..*%******************************************************************************..*Feature: JobBindAllDocuments..{.. *rcNameID: =IDS_GPD_JOBBINDING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: BindLeft.. {.. *rcNameID: =IDS_GPD_LTOR.. }.... *Option: BindRight.. {.. *rcNameID: =IDS_GPD_RTOL.. }.... *Option:

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdcolman.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2718
                                                                                                                                                                                                                                                                  Entropy (8bit):4.658165462032682
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:FCDZkHSs9/9xmSx8iZR/+eRxSRURJPRo/8nRFGR7RrXh8TpR9KbzkR5BMLkRWkc4:sDuHN/DRFRkRURJPRo/ARYR7Rrx+R98+
                                                                                                                                                                                                                                                                  MD5:3F80884F3D1F3B9D5D3C7279131ECB4D
                                                                                                                                                                                                                                                                  SHA1:17AB016E8AFA453B5A7DA19A6F2AB6AE0B3D78F4
                                                                                                                                                                                                                                                                  SHA-256:4D09EE22E6A9BFB33E13F5391830FFDA13A572DC6DA1E22D1DEE3D4CAD7BBBD9
                                                                                                                                                                                                                                                                  SHA-512:363579BDE28329209801FFA7EE0A3A5DD4278886453221768D2F3D7A1ECFE348884004FA08F9B6006E35A6098B72F1738B7B425C9AC8F5F2ACBDC5FD26EEA50A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdcolman.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Color Management specific GPD settings...*%....*%******************************************************************************..*% PageColorManagement..*%******************************************************************************..*Feature: PageColorManagement..{.. *rcNameID: =IDS_GPD_PAGECOLMAN.. *DefaultOption: None.. *PrintSchemaKeywordMap: "PageColorManagement".... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. *PrintSchemaKeywordMap: "None".. }.... *Option: Device.. {.. *rcNameID: =IDS_GPD_D

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnames.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):6871
                                                                                                                                                                                                                                                                  Entropy (8bit):4.6709110049190015
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:sDuHL5cq9ORGELoQ+4JH3U/y5EDeP8N4f6TfSqXYY0s9DOS:3HL5G0Ex+AX0yAePzO0S
                                                                                                                                                                                                                                                                  MD5:9196C9FAF999C94DA04F4679E823D753
                                                                                                                                                                                                                                                                  SHA1:BF4445CFF27EC04248BB645C74AAAF6B1EE95B6D
                                                                                                                                                                                                                                                                  SHA-256:411DFDB99C624831D1E755AD5D861ECE1C2EFCEF23A6C7F89F6C2BA251BBED0A
                                                                                                                                                                                                                                                                  SHA-512:94A3C1F51B03A91220F9AEF9D8BDDAB6DAD74BE971D5D16B5B308DC5403DE1AFCB3A8D40E0F48CEC1834DE596192BED99C78B03B2538A9594B99347B589650B1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnames.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver GPD resource names...*%....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }.. *Option: xdsmplui.. {.. *Name: "xdsmplui.dll".. }..}....*Macros: StdFeatureNames..{.. IDS_GPD_1PPS: RESDLL.xdsmplui.2000.. IDS_GPD_2PPS: RESDLL.xdsmplui.2001.. IDS_GPD_4PPS: RESDLL.xdsmplui.2002.. IDS_GPD_6PPS: RESDLL.xdsmplui.2003.. IDS_GPD_8PPS:

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnup.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4068
                                                                                                                                                                                                                                                                  Entropy (8bit):4.508459493570281
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:sDuHqDYRxRGRDRPRbRERfRSdg9Re9RxjR4RURFRjjRkRSRA1sogRyRGRDRPRbREN:3HqZtgst0P
                                                                                                                                                                                                                                                                  MD5:CFFD55A27BDF496CABE9C41E80A42A72
                                                                                                                                                                                                                                                                  SHA1:09225D86A48948152DE3AF346491B893579253CA
                                                                                                                                                                                                                                                                  SHA-256:D0B69D3877190BFAFCADB90D9D4F6C81DA15CD5E3CBE45BAB4E60BC812FF32C0
                                                                                                                                                                                                                                                                  SHA-512:D1F0A7C72657897B2394D8C166D4E079CAB6CC3BE35621A8B014F541A1A73245DDD0865C4AE810E1784AC973AEA0419F7DFC42DA42A5B81284B539DC0A24EB29
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnup.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver NUp specific GPD settings...*%....*%******************************************************************************..*% JobNUpAllDocumentsContiguously..*%******************************************************************************..*Feature: JobNUpAllDocumentsContiguously..{.. *rcNameID: =IDS_GPD_JOBNUP.. *DefaultOption: 1.. *PrintSchemaKeywordMap: "JobNUpAllDocumentsContiguously".... *Option: 1.. {.. *rcNameID: =IDS_GPD_1PPS.. }.... *Option: 2.. {.. *rcNameID: =IDS_GPD_2PPS.. }.... *Option: 4.. {..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdpgscl.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2522
                                                                                                                                                                                                                                                                  Entropy (8bit):4.708364933060842
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:FCDZkHSs9/9Ydp88+qRIOR3NRXRAR6R5eR7RZboRaYipRazRapjRafRa6RamRaRA:sDuHco4RDR3NRXRAR6R5eR7RZboRaYuY
                                                                                                                                                                                                                                                                  MD5:F492FC30EFAE3C1548C17D4419E37778
                                                                                                                                                                                                                                                                  SHA1:887F31639800999D7225AF1EE3F26B601D726401
                                                                                                                                                                                                                                                                  SHA-256:08FF54CC8DC7E978B8129017307F4455025FC37F891A9EE6CAD37ADA5EB0CEC7
                                                                                                                                                                                                                                                                  SHA-512:0F354DBC8B430B168EBAA1BBBAE48DFC6DD285912C1324673BD04AFBDD2947CC3BA8448B440337655377A43A40DC9592CDE26F71A635EEB12746877971C5519D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdpgscl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver page scaling specific GPD settings...*%....*%******************************************************************************..*% PageScaling..*%******************************************************************************..*Feature: PageScaling..{.. *rcNameID: =IDS_GPD_PAGESCALING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Custom.. {.. *rcNameID: =IDS_GPD_CUSTOM.. }.... *Option: CustomSquare.. {.. *rcNameID: =IDS_GPD_CUSTSQUARE.. }.... *Option:

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl-PipelineConfig.xml

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2476
                                                                                                                                                                                                                                                                  Entropy (8bit):5.158189280019379
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:qDG8kHYKsJyhBk//ojAd+6IG0c9RLN0KUvfaZhcLNhpMubDUHeLNq63PfaZhcLNM:qDhkHtsI4aV46+ZhOb2tZhzZh7jZh/v
                                                                                                                                                                                                                                                                  MD5:B628B4F8CC199D26E18FE27BD4A29BBD
                                                                                                                                                                                                                                                                  SHA1:CBB6FB510D708AE85CC0F715617BCD788A613727
                                                                                                                                                                                                                                                                  SHA-256:12DCC665FDEFEE3D3D771F5727F86FB812C606FCE0E7A3DA943A2072295D2984
                                                                                                                                                                                                                                                                  SHA-512:825E8583B140C3CA5C44669AAAEF7654A90977F15FD0959FC17DEE30E18C3275EDFE2366A5C90CE707AF28951A56194CBA0CBEE6967CD95FA9CA8CFD6EF189F3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview: ....Copyright (c) 2005 Microsoft Corporation....All rights reserved.....THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..PARTICULAR PURPOSE.....File Name:.... xdsmpl-pipelineconfig.xml....Abstract:.... XPSDrv sample driver filter configuration file. This identifies the.. filters that comprise the filter pipeline and their order.....-->....<Filters>.. <Filter dll = "XDWMark.dll".. clsid = "{B8B525BF-F147-460a-B2D5-9DFB1F30D0FD}".. name = "Watermark filter">.. <Input guid = "{b8cf8530-5562-47c4-ab67-b1f69ecf961e}" comment="IID_IXpsDocumentProvider"/>.. <Output guid = "{4368d8a2-4181-4a9f-b295-3d9a38bb9ba0}" comment="IID_IXpsDocumentConsumer"/>.. </Filter>.. <Filter dll = "XDScale.dll".. clsid = "{976EDCE4-274E-482a-97

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11986
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7262628705263445
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:3HDc4F4V4U4k4v4g4L4wfyPUc5Bn+vjdQjNuDVjFfJCk72sI/72sIPTZGjo2D:KyPUc5Bn+bdsN4jFfJR25T25wZ
                                                                                                                                                                                                                                                                  MD5:E1F2A2FD0D41438A375F0DDC1822AA7C
                                                                                                                                                                                                                                                                  SHA1:267F8BFFABCCA4D46556519C105C0C6055B6F6D0
                                                                                                                                                                                                                                                                  SHA-256:606E0918952F5441D31F5335F09FD6AACAE0A5850A0174280FF34F6772A0B768
                                                                                                                                                                                                                                                                  SHA-512:1CF4B1E989819ECB134DCBD9C842F69D97A4949ED319D712BF14729C8A0BE0FF22122E3FADC4F4B2A86916F5EBF717E5CCE6E7620DD90EA73551CB523703EC0C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdsmpl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver main GPD file...*%....*GPDFileVersion: "1.2"..*GPDSpecVersion: "1.2"..*GPDFileName: "XDSmpl.gpd"..*Include: "msxpsinc.gpd"..*Include: "StdNames.gpd"..*Include: "xdnames.gpd"..*Include: "xdwmark.gpd"..*Include: "xdbook.gpd"..*Include: "xdcolman.gpd"..*Include: "xdnup.gpd"..*Include: "xdpgscl.gpd"..*ModelName: "XPSDrv Sample Driver"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 1....*%*********************************************************************

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):475
                                                                                                                                                                                                                                                                  Entropy (8bit):5.248799523355892
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:fp+BF8aNytrHLCSKsSHUJhGbkxIESnPEcF4RqWo40nUv:fp+D8MkHLNKsSyh2kBoP3FsqA02
                                                                                                                                                                                                                                                                  MD5:2EFCEBC23D661F3BFA0A4A4BE0588466
                                                                                                                                                                                                                                                                  SHA1:1ED92AEC943CFE143A7DBBCE2A82141D67FB9169
                                                                                                                                                                                                                                                                  SHA-256:DC50AFD088B0D72935D0CDF8F99071A7C80A4979BC9AF915016DD847F222EBE9
                                                                                                                                                                                                                                                                  SHA-512:FC1FF31E2CBFA1BC8A825548C6C4661236FAF12D8B75F25010E783DE116FC48B61F0188A4673C2C60A52181F6E7F0EFE39BF9B0A7D35B1937EC02B97FCCB7955
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:;..; Copyright (c) 2005 Microsoft Corporation..;..; All rights reserved...;..; THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..; ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..; PARTICULAR PURPOSE...;..; File Name:..;..; xdsmpl.ini..;..; Abstract:..;..; XPSDrv sample driver configuration file for UI plug-in...;....[OEMFiles]..OEMConfigFile1=xdsmplui.DLL......

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdwmark.gpd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1554
                                                                                                                                                                                                                                                                  Entropy (8bit):4.555759044915239
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:FCDZkHSs9/9Tmm8LYReOR1RwrRpRajx8LZRzQRVRC:sDuHnmmoYRVR1RwrRpRajxoZRcRVRC
                                                                                                                                                                                                                                                                  MD5:C922269B15071195905ACE600AC9B02C
                                                                                                                                                                                                                                                                  SHA1:BCC559EBBFCAC61A67905B5DBB9D3E8E27D413E5
                                                                                                                                                                                                                                                                  SHA-256:2FC61A7629E0382699E8178AC8131666BB1BADA65F9B7AC738E7620C1D3A4E40
                                                                                                                                                                                                                                                                  SHA-512:C4ACE0F94150ED02580A365798981FD30484B3E13576624620377F077AD4A6C0AA06ED3DBC1B8A64406F357321A9AD027A1A12D9C98A407D27B58CA857D74E84
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdwmark.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver watermark specific GPD settings...*%....*%******************************************************************************..*% PageWatermark..*%******************************************************************************..*Feature: PageWatermarkType..{.. *rcNameID: =IDS_GPD_WATERMARKTYPE.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Text.. {.. *rcNameID: =IDS_GPD_TEXT.. }.... *Option: Raster.. {.. *rcNameID: =IDS_GPD_RASTERIMAGE.. }.... *Option: Ve

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdwscRGB.icc

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Microsoft color profile 2.2, type lino, RGB/Lab-spac device by MSFT, 124856 bytes, 10-5-2006 12:14:35 "Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut M"
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):124856
                                                                                                                                                                                                                                                                  Entropy (8bit):6.796177094859484
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:wq47C9ZJMKkyYHlMRyu2FK0MjUq2mX14F4Q7asMM06KI:w29bMPyASyumQwmleHf91
                                                                                                                                                                                                                                                                  MD5:45CC4B43673056B8625ADD43EFDF33DD
                                                                                                                                                                                                                                                                  SHA1:2A7E28C7696CAF775344A31A23DCDADF15A5F1BD
                                                                                                                                                                                                                                                                  SHA-256:089BE57682C9F866DCCE74E1D174AA9816BC0992C1CE6EC01E03958964EF852A
                                                                                                                                                                                                                                                                  SHA-512:08A1FEA06EED5B874BE487F0F523ADCB98262FFA7158F54A724963827ACBF6318EEE99948AEB999C6F6EF875EA04E2B2377CBE623BB4679FB90BE785C75560DC
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...lino. ..spacRGB Lab ...........#acspMSFT...................................-MSFT................................................desc......."cprt.......1wtpt...$....A2B0...8...ZB2A0.......ZMS00..U.....desc........Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos.enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .s.c.R.G.B. .v.i.r.t.u.a.l. .d.e.v.i.c.e. .m.o.d.e.l. .p.r.o.f.i.l.e.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......T........mft2................................................BeBwB.B.B.B.B.B.B.C.C.C"C3CECVCgCxC.C.C.C.C.C.C.D.D.D$D5DFDWDhDzD.D.D.D.D.D.D.E.E.E%E6EHEYEjE{E.E.E.E.E.E.E.F.F.F'F8FIFZFlF}

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10752
                                                                                                                                                                                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):77824
                                                                                                                                                                                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):55112
                                                                                                                                                                                                                                                                  Entropy (8bit):6.95804253448452
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:+EmCoFSZSI9Xhq7xYQAucXy069A3hKhy06ia3hyKb3LCxLVNe9zLuX:+EmPFSYWXf69A3hK16x3hyKbOnNazSX
                                                                                                                                                                                                                                                                  MD5:9D62CBDE4079B1BE2CB1B91BDD74E539
                                                                                                                                                                                                                                                                  SHA1:C54E743DE54B9D1D35CDA8F15562483163A064C0
                                                                                                                                                                                                                                                                  SHA-256:63347E07C934A788F5996EF91D86F718C273DB6221BF448F0659F70194A65031
                                                                                                                                                                                                                                                                  SHA-512:E3DE199BAABCB087A07071D67F2A0EE3E0F01E06B23B75B6FDCF1146CE782263E1A63D32B4DAFF3699766FD3922AB41F9DCB4497398DB5F0DA9EA33F5FDDF24C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5..5..5..!..4..!..2..5.....!..3.....>.... .4.....4..Rich5..........................PE..L...;..b.................D...&......0p....... ....@..................................i....@E................................`p..P.......p............n..Hi...........(..8...........................8)............... ...............................text...w........................... ..h.rdata....... ......................@..H.data........0....... ..............@...PAGE.....,...@.......0.............. ..`INIT.........p.......^.............. ..b.rsrc...p............d..............@..B.reloc...............h..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):62816
                                                                                                                                                                                                                                                                  Entropy (8bit):6.690155437787919
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:7FkBLAYEMVmkPGsfD6ppH3hLW6G3heObqQyvzP:75YskPGiDaphWqOuQyvr
                                                                                                                                                                                                                                                                  MD5:9CE89A1A93E196AA261561B1E5C3AFC6
                                                                                                                                                                                                                                                                  SHA1:8ECDB82C1C4A9C4431826097EDB11718152AD7A5
                                                                                                                                                                                                                                                                  SHA-256:CBB084056495566BFC8D933D7094694053ADDB91C190F95F791016CF6368D94D
                                                                                                                                                                                                                                                                  SHA-512:A4E7E93819CDCFDF0ED468F0138AD2774D2D7D8A587A01A4745F61AC27DFCD41A49922827E7029FC7564DF3866C64464B7B131CEBF3D39AD85D94E533AE53C5B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x...+...+...+..*.+..*...+...+..+..*.+..*.+L..*...+L.a+.+L..*.+Rich...+................PE..d...8..b.........."......R...8......0..........@.....................................%....`A....................................................<.......p....p..........`i......T....<..8...........................P<...............0..0............................text...)........................... ..h.rdata.......0......................@..H.data........P.......,..............@....pdata.......p.......@..............@..HPAGE....$7.......8...F.............. ..`INIT.................~.............. ..b.rsrc...p...........................@..B.reloc..T...........................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):285
                                                                                                                                                                                                                                                                  Entropy (8bit):4.794885910225241
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:fAjsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9RNIgm9MOdELVb4NMD7:EWZ9dAudm95dyE239nd9RGpDdwh7
                                                                                                                                                                                                                                                                  MD5:1690361AD6F64AA935F0C71847F763B6
                                                                                                                                                                                                                                                                  SHA1:5F8682A46B5A4DF1F03D8078240F6619B0C90DDF
                                                                                                                                                                                                                                                                  SHA-256:D7CBA410A986FD863C69BDB98311A2F49E04F3ED7C1499C6A5557B7BA856B5AE
                                                                                                                                                                                                                                                                  SHA-512:2CE17EEF081E5C7F68E7584413C65242A1CE240B23F1226906DB6F6BC12E97B834545DA6B43BE5903D6EDBC66B1899634D9115E6688961F5547297819989D2EE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon.exe install stvad.inf *STVAD >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):289
                                                                                                                                                                                                                                                                  Entropy (8bit):4.864786270026779
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9RNIgm9MOdRL6Vb4NMD7:kWZ9dAudE95d0E239Jd9RGpDdCh7
                                                                                                                                                                                                                                                                  MD5:678C5FB9E1F87E4986E2B80B55740A9C
                                                                                                                                                                                                                                                                  SHA1:3E30F2B668EEAE7F8D0A192F6F3B9EE6213D58E8
                                                                                                                                                                                                                                                                  SHA-256:E04797F8F85EAAB68DA60C9E2F08E224DBF379ECC6085BD2A8C79974FF1D46E3
                                                                                                                                                                                                                                                                  SHA-512:B6FD46FE165ACB6169056465248078B9794669846B57E616F8DB923C6EDD324A625BE968E499463BADC7B99660A8CE3304333BA9D92D8907C98C6B3CB6B7DB6E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon64.exe install stvad.inf *STVAD >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\stvad.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11950
                                                                                                                                                                                                                                                                  Entropy (8bit):7.350152493437532
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:mgQzOQtQyQHOQqQWNJCHF1agjEwOXP6hYCe68JGlD/Jn9VOMbSX01k9z3AoXSkqr:INg/k6h3e1GlD/LVNSR9zrVqr
                                                                                                                                                                                                                                                                  MD5:6E88194D307CE842B43826CA7B473411
                                                                                                                                                                                                                                                                  SHA1:1C8767D498A53C6287EA89BCEB43A21C4F4AF479
                                                                                                                                                                                                                                                                  SHA-256:E75BF820E72813D3C46D11502267B3FE445E9A7F05E855DF97811D3E2333EE3A
                                                                                                                                                                                                                                                                  SHA-512:016B756C585648B0AF746E906302FC021516B0419DBD9B5444B11C709D3C6AE8CF330A1A49D7ACD341846D558FDC18C1DE5B97DA59ED53C887A854B8BDA5679F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7.....y...K.O.."+ H.I..220214055503Z0...+.....7.....0...0......(u..m.,..E5.IhF..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0....6=0..z..-.c..q..xS.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0.... Vf.*...S.....3...7.D.%.Azv).`>1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... Vf.*...S.....3...7.D.%.Azv).`>0... .j.[6=uPASr......) .N.g].!i.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .j.[6=uPASr......) .N.g].!i.0.....U....Z....$......1..0...+...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\stvad.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4338
                                                                                                                                                                                                                                                                  Entropy (8bit):5.5192534972153515
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:2kSMHhlJjFdN5JHzI8LeTMdH33I8vV4xmzAchZ8MMCuj:2kSMHdxdnJHTeT+3B4xm09j
                                                                                                                                                                                                                                                                  MD5:8E91B0F01FFE8DF22050392F91D8F28D
                                                                                                                                                                                                                                                                  SHA1:1ECD2875D29F0F6DE62C1DBA4535D7496846B70D
                                                                                                                                                                                                                                                                  SHA-256:946AE6ACA55B363D7550415372A8A483BEDA152920104EE4675DD4AC2169ECA1
                                                                                                                                                                                                                                                                  SHA-512:5B421B323084E851154C15E22769BDBA12C555DD8DF949B21719CF13C0549EEE1AC48C4EC4802EC08A725A4515C449BACE6E43F0DC67B54BAB1DB08D2408AA59
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[Version]..Signature..= "$CHICAGO$"..Class...= MEDIA..Provider..= %ST%..ClassGUID..= {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 02/14/2022,1.0.3.0..CatalogFile .= stvad.cat....[SourceDisksNames.x86]..222 = "STVAD Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVAD Driver Disk","",222,\64bits....[SourceDisksFiles]..stvad.sys = 222....;;This syntax is only recognized on Windows XP and above- it is needed to install 64-bit drivers on..;;Windows Server 2003 Service Pack 1 and above.....[Manufacturer]..%MfgName% = SplashtopDS, NTAMD64, NTx86....;; For Windows Server 2003 Service Pack 1 and above, a 64-bit OS will not install a driver..;; unless the Manufacturer and Models Sections explicitly show it is a driver for that platform..;; But the individual model section decorations (or lack thereof) work as they always have...;; All of the model sections referred to are undecorated or NT-decorated, hence work on all platforms....[SplashtopDS]..%STVAD.DeviceDesc% =

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):206
                                                                                                                                                                                                                                                                  Entropy (8bit):4.79285514077006
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9R7:kWZ9dAudm95dyE239nd9R7
                                                                                                                                                                                                                                                                  MD5:9EAFE2CC76D906E1C4F0FCB2A485A453
                                                                                                                                                                                                                                                                  SHA1:51D48B136B7AD1BBA162D3674F249A6832F9B55E
                                                                                                                                                                                                                                                                  SHA-256:9C01560D63FA71D8492B5B866E02902EA5AD8DF54B5678DCA54160F787AD7BC2
                                                                                                                                                                                                                                                                  SHA-512:76D1A89F064AD7C9B89D9FBD06735837E4B47220F2B790B2BE3DCC63251923F7D0B2B8DB5B3983D4E7B94DA1DFCB3EC9EC81C0927446E05D4EECA9CD293CE4F8
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):212
                                                                                                                                                                                                                                                                  Entropy (8bit):4.871313263028117
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9R7:kWZ9dAudE95d0E239Jd9R7
                                                                                                                                                                                                                                                                  MD5:A2DA78EF1F7BC59138D71F85D6310ECA
                                                                                                                                                                                                                                                                  SHA1:912DCBFF74495F0235A969BCE934B421086DD175
                                                                                                                                                                                                                                                                  SHA-256:A980C2CD38F4D2F06E6A5DC96BFFFB8EC39A7A1254D5FF6ED1E7F44048F66AE1
                                                                                                                                                                                                                                                                  SHA-512:32DAD786E55680F653F7F5570189E2C0F815CE0A69221B91743B67407587E9A13C414E5ECCEB2CD02A3C0A805E3D6D2639948DD22DFAC3B6FF56D74CC468AD56
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):45320
                                                                                                                                                                                                                                                                  Entropy (8bit):6.720475524234058
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:G9CoFe+yIPYhqU1YQ7YemerV3hvrOyk3hH63:G9PFe3VYq3hvrOX3hH+
                                                                                                                                                                                                                                                                  MD5:A9D239E41BAED5879255923481C73D11
                                                                                                                                                                                                                                                                  SHA1:FE581685174CEFCAD994BB8EC1A70537BB8CA626
                                                                                                                                                                                                                                                                  SHA-256:5118FB2A6A4B1E37AA12544E5864B77733739FB5EFBC4997F3A5A3EF385FE9B9
                                                                                                                                                                                                                                                                  SHA-512:5460CDDD61A79C9C4982106344F4354E55C93AC996EF7315DE635F2F45EFE8A9BDFF37664137E7307E8C9654BCD16ACC65B8471D08E09DAA798502B0973E3DAD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................................#.........Rich...................PE..L....0Ca.................D...&......0p....... ....@.................................N.....@E................................xp..P.......p............n...C...........(..8...........................8)..@............ ...............................text............................... ..h.rdata....... ......................@..H.data........0....... ..............@...PAGE.....,...@.......0.............. ..`INIT.........p.......^.............. ..b.rsrc...p............d..............@..B.reloc...............h..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):53000
                                                                                                                                                                                                                                                                  Entropy (8bit):6.411029825578745
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:HD4P58VeNfba5EMjxMXOkvmWvwDtmmEfdgA5lER3hjgxW3hyB:8PiVeNYEMVz4TVRl+3hjgg3hyB
                                                                                                                                                                                                                                                                  MD5:E623E53FAE062F43180174FA01E7B6E0
                                                                                                                                                                                                                                                                  SHA1:7843125E12A3DF5A9DC1FB052CCC34B993A18F00
                                                                                                                                                                                                                                                                  SHA-256:D68E13044485D730E183449E3F34D45E319199D376C7528FC8DDA87CA5A22034
                                                                                                                                                                                                                                                                  SHA-512:26E342BC8E28CB447BF4F1FC4F1A7A0CA2186B4AC78CDC062B29CC206ED1FAC2E0825748DF26AA0E893795820A77D6D269F4DFCB2162E5877710D7DE8FD1365B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t`X.............~.......~...............~.......~.......`.......`.......`......Rich............PE..d....0Ca.........."......R...8......0..........@.........................................`A....................................................<.......p....p...........C......T....<..8...........................P<...............0..0............................text...i........................... ..h.rdata.......0......................@..H.data........P.......,..............@....pdata.......p.......@..............@..HPAGE.....7.......8...F.............. ..`INIT.................~.............. ..b.rsrc...p...........................@..B.reloc..T...........................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\install_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):285
                                                                                                                                                                                                                                                                  Entropy (8bit):4.794885910225241
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:fAjsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9RNIgm9MOdELVb4NMD7:EWZ9dAudm95dyE239nd9RGpDdwh7
                                                                                                                                                                                                                                                                  MD5:1690361AD6F64AA935F0C71847F763B6
                                                                                                                                                                                                                                                                  SHA1:5F8682A46B5A4DF1F03D8078240F6619B0C90DDF
                                                                                                                                                                                                                                                                  SHA-256:D7CBA410A986FD863C69BDB98311A2F49E04F3ED7C1499C6A5557B7BA856B5AE
                                                                                                                                                                                                                                                                  SHA-512:2CE17EEF081E5C7F68E7584413C65242A1CE240B23F1226906DB6F6BC12E97B834545DA6B43BE5903D6EDBC66B1899634D9115E6688961F5547297819989D2EE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon.exe install stvad.inf *STVAD >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\install_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):289
                                                                                                                                                                                                                                                                  Entropy (8bit):4.864786270026779
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9RNIgm9MOdRL6Vb4NMD7:kWZ9dAudE95d0E239Jd9RGpDdCh7
                                                                                                                                                                                                                                                                  MD5:678C5FB9E1F87E4986E2B80B55740A9C
                                                                                                                                                                                                                                                                  SHA1:3E30F2B668EEAE7F8D0A192F6F3B9EE6213D58E8
                                                                                                                                                                                                                                                                  SHA-256:E04797F8F85EAAB68DA60C9E2F08E224DBF379ECC6085BD2A8C79974FF1D46E3
                                                                                                                                                                                                                                                                  SHA-512:B6FD46FE165ACB6169056465248078B9794669846B57E616F8DB923C6EDD324A625BE968E499463BADC7B99660A8CE3304333BA9D92D8907C98C6B3CB6B7DB6E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon64.exe install stvad.inf *STVAD >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\stvad.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18540
                                                                                                                                                                                                                                                                  Entropy (8bit):7.313988713784432
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:1+wARK7Nm4UB1LtL8JN77hh/onRK7Nm4UxY28JN77hh07V:8wUh23hRoR83hGV
                                                                                                                                                                                                                                                                  MD5:52973E06C8A2587300797DEBD419A08C
                                                                                                                                                                                                                                                                  SHA1:8D13082BEEF0B4240B67F7D04809A25C8CC3834F
                                                                                                                                                                                                                                                                  SHA-256:AACA5F16D57F7C9CBA15F8420FA57CB0F222F3FD28051FD1C103AEBEBA681D05
                                                                                                                                                                                                                                                                  SHA-512:60CE0E47DD5B42DB77BBF507AEB939CA26ECA50A5A6F5FF4731D4E65230335BC5F8E47A1B60466B6BB2CACB582F7F0BEACEAA956A2A50D5C5645F0591D4DF8B0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.Hh..*.H........HY0.HU...1.0...+......0.....+.....7......0...0...+.....7........[.nA.jC`.S....210916120921Z0...+.....7.....0...0....R5.6.4.E.F.8.7.0.9.0.7.9.8.F.7.A.6.2.5.7.4.B.6.0.2.C.F.3.1.2.3.D.C.E.D.2.3.4.6.3...1..O06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........VN.p.y.zbWK`,..=..4c0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.7.8.1.B.4.C.0.6.1.9.4.5.A.2.E.8.E.0.1.0.E.F.1.2.9.8.5.9.B.D.1.A.A.3.1.3.C.7.5...1..G06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0E..+.....7...17050...+.....7.......0!0...+............a.Z.....)...1<u0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.4.9.D.9.9.6.B.8.8

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\stvad.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3217
                                                                                                                                                                                                                                                                  Entropy (8bit):5.702969738113695
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:2kQG735yUI8LeHdT3I8vV4xDKKr84QM5MFgWCwj:2kQG7pyye1B4x+I8pj
                                                                                                                                                                                                                                                                  MD5:1574CF3E123B96142ACF789F852119FF
                                                                                                                                                                                                                                                                  SHA1:8781B4C061945A2E8E010EF129859BD1AA313C75
                                                                                                                                                                                                                                                                  SHA-256:3FF183B875687A9A2BAF0FBEFA52AC04CD5E869E6E4FD535CC7D1D1F4825A003
                                                                                                                                                                                                                                                                  SHA-512:29EA441281BA5A4E7B427335E36D0D6FA2A103D852DD16E460C4BE62E2640AE2117C1C64CFE6BFDC2A22FE9ADDE71B74DB5A1A6BF80D7BE0953FD593401F0311
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[Version]..Signature..= "$CHICAGO$"..Class...= MEDIA..Provider..= %ST%..ClassGUID..= {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer ..= 09/16/2021, 1.0.2.0..CatalogFile .= stvad.cat....[DestinationDirs]..STVAD.CopyList = 10,system32\drivers....[SourceDisksNames.x86]..222 = "STVAD Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVAD Driver Disk","",222,\64bits....[SourceDisksFiles]..stvad.sys = 222....[Manufacturer]..%MfgName% = Splashtop, NTAMD64, NTx86....[Splashtop.NTAMD64]..%stvad.DeviceDesc% = STVAD, *STVAD....[Splashtop.NTx86]..%stvad.DeviceDesc% = STVAD, *STVAD....[STVAD]..AlsoInstall..= ks.registration(ks.inf),wdmaudio.registration(wdmaudio.inf)..CopyFiles..= STVAD.CopyList..AddReg...= STVAD.AddReg....[STVAD.CopyList]..stvad.sys....[STVAD.Interfaces]..AddInterface.= %KSCATEGORY_AUDIO%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATEGORY_RENDER%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATEGORY_CAPTURE%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATE

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\uninstall_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):206
                                                                                                                                                                                                                                                                  Entropy (8bit):4.79285514077006
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9R7:kWZ9dAudm95dyE239nd9R7
                                                                                                                                                                                                                                                                  MD5:9EAFE2CC76D906E1C4F0FCB2A485A453
                                                                                                                                                                                                                                                                  SHA1:51D48B136B7AD1BBA162D3674F249A6832F9B55E
                                                                                                                                                                                                                                                                  SHA-256:9C01560D63FA71D8492B5B866E02902EA5AD8DF54B5678DCA54160F787AD7BC2
                                                                                                                                                                                                                                                                  SHA-512:76D1A89F064AD7C9B89D9FBD06735837E4B47220F2B790B2BE3DCC63251923F7D0B2B8DB5B3983D4E7B94DA1DFCB3EC9EC81C0927446E05D4EECA9CD293CE4F8
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\uninstall_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):212
                                                                                                                                                                                                                                                                  Entropy (8bit):4.871313263028117
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9R7:kWZ9dAudE95d0E239Jd9R7
                                                                                                                                                                                                                                                                  MD5:A2DA78EF1F7BC59138D71F85D6310ECA
                                                                                                                                                                                                                                                                  SHA1:912DCBFF74495F0235A969BCE934B421086DD175
                                                                                                                                                                                                                                                                  SHA-256:A980C2CD38F4D2F06E6A5DC96BFFFB8EC39A7A1254D5FF6ED1E7F44048F66AE1
                                                                                                                                                                                                                                                                  SHA-512:32DAD786E55680F653F7F5570189E2C0F815CE0A69221B91743B67407587E9A13C414E5ECCEB2CD02A3C0A805E3D6D2639948DD22DFAC3B6FF56D74CC468AD56
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):53008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.847750617309462
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:b9aXVnIo4e86mU2IpU88ukl7qqOky4QqSmOOgY3hs3BMBs3hsU4hJt34lz2:b9uV54e8Q6uoramO43hs3h3hsU4/tgy
                                                                                                                                                                                                                                                                  MD5:48A8D41400F7D4729A0FB3102B2FD7AF
                                                                                                                                                                                                                                                                  SHA1:709FCD8676F7E618B1D519D7C84422D90EAC81AD
                                                                                                                                                                                                                                                                  SHA-256:158BF7761E9A254E5D4608E62D11B86A682E505413C86128999F8EDC6294645D
                                                                                                                                                                                                                                                                  SHA-512:845DA37A4FC90DB0E4D1A0CE51E9436F3AB65289C4CAE189999A72DC516F09750FBE43D681746E5BD0C5E4E90C246BC58ADF95239A19A3E3E71000C0E8B46018
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................................#.........Rich...................PE..L...1.'a.................>...&......0p....... ....@.......................................@E................................xp..P.......p............h...g...........(..8............................)..@............ ...............................text...g........................... ..h.rdata..l.... ......................@..H.data...0....0......................@...PAGE....")...@...*.................. ..`INIT....8....p.......X.............. ..b.rsrc...p............^..............@..B.reloc...............b..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):59152
                                                                                                                                                                                                                                                                  Entropy (8bit):6.649199158440194
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:Qidu9HV92g74x9xMtsqRdUx2PEvp/MuTP3hs0KI3hsE5Et367SH:09HV92Z9fx/MYP3hs0t3hsE+tK7+
                                                                                                                                                                                                                                                                  MD5:FFC5D6FFD92E2F5DD7D454B5EA624825
                                                                                                                                                                                                                                                                  SHA1:22DC6D072A87B95A215735D8A9002757F1C99F4B
                                                                                                                                                                                                                                                                  SHA-256:BF3806D063FD4982791FA5F5C50DDC5B7F49B40615F6CFCE96016571CA4AF7CB
                                                                                                                                                                                                                                                                  SHA-512:653CAB148E0CE24DF36C1EC02760F19C9100542FCA5885B665E8F98EE82118B7930D3B9C8BAF18C1D08B5E1D3D5F7B3DDF0041581116BA5973CE30DFF4C4A958
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t`X.............~.......~...............~.......~.......`.......`.......`......Rich............PE..d...-.'a.........."......H...4......0..........@.....................................g....`A....................................................<.......p....`..h........g......L....+..8........................... ,............... ...............................text............................... ..h.rdata....... ......................@..H.data........@.......&..............@....pdata..h....`.......:..............@..HPAGE.....1...p...2...@.............. ..`INIT.................r.............. ..b.rsrc...p............x..............@..B.reloc..L............|..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):286
                                                                                                                                                                                                                                                                  Entropy (8bit):4.868409179176479
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:fAjsd94wqJ6dA3OdqA3PMOdyE23PMmfPP0NIgm4OdELV5FaA37:EWH9dAedNtdyE23rH0GpBdM97
                                                                                                                                                                                                                                                                  MD5:A9A42F8DE6BBE12230621C01C8FD5987
                                                                                                                                                                                                                                                                  SHA1:360D7B9C960AA8BCFAB960F5BC8FE4C8217BFF1D
                                                                                                                                                                                                                                                                  SHA-256:377B50263A4EC36A0133666CCC089CC065119FE290FA53D9397D414BFDE6DDF3
                                                                                                                                                                                                                                                                  SHA-512:CFCBE219768697E54E62F27C0BC318590055BD70BBAB73262ED93B4F7B8A993D6984DB2CE1A0DABE65A2E83204FAE61AB4896BCA56385E49DA7527B4567EDDFD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon.exe remove *STVSpkSimple >> inst.log...\utils\devcon.exe rescan >> inst.log...\utils\DIFxCmd.exe /u stvspk.inf >> inst.log....REM install...\utils\devcon.exe install stvspk.inf *STVSpkSimple >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):290
                                                                                                                                                                                                                                                                  Entropy (8bit):4.94060950303714
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajsd94wqJ6dA3OdRLiA3PMOdRLKE23PMmBPP0NIgm4OdRL6V5FaA37:kWH9dAedDtd0E239H0GpBdm97
                                                                                                                                                                                                                                                                  MD5:9DC29B6F9CC69C534977BFCDC98E2705
                                                                                                                                                                                                                                                                  SHA1:4AA931BE2C7297A93CEC4172F48EDDD8DBC4E3AB
                                                                                                                                                                                                                                                                  SHA-256:78CEDF996370DF8A59521A77BDDB7118610924A02625AA53BFE47975A23B3B8D
                                                                                                                                                                                                                                                                  SHA-512:5227EFC53C6D12C012691A920ADB77B51E9E939294B7B690774BDC16EFAC877D9D92C409D5197244279F4BE8052CA8FA9FCD37D82178807DABA8D0F528F179A7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon64.exe remove *STVSpkSimple >> inst.log...\utils\devcon64.exe rescan >> inst.log...\utils\DIFxCmd64.exe /u stvspk.inf >> inst.log....REM install...\utils\devcon64.exe install stvspk.inf *STVSpkSimple >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18559
                                                                                                                                                                                                                                                                  Entropy (8bit):7.313796375225627
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:5eNwo6RK7Nm4UN1d08JN77hhOd5wTRK7Nm4UhkX88JN77hhOmT:Yw1n33hsd5wFIXf3hsmT
                                                                                                                                                                                                                                                                  MD5:3BEB01DAE131D8E2F595EA697676FD82
                                                                                                                                                                                                                                                                  SHA1:E4AE36B125E40E3964C176FAD1A2690317574A15
                                                                                                                                                                                                                                                                  SHA-256:B2E42C84B27299C6973FC976FF22837D156788A6D423286816DD9B551A959245
                                                                                                                                                                                                                                                                  SHA-512:DDCEB2EE00865574863F4E6D5CE32A4363FCBC85C42B75AE348FA1A09E1FC5284355A772E127372993560CA634B52447EE6F4CF7261691EB8EEDD0DD95731FEC
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.H{..*.H........Hl0.Hh...1.0...+......0.. ..+.....7......0...0...+.....7.....]....qF.3o...!...210826123955Z0...+.....7.....0...0....R2.2.8.8.7.7.B.7.3.E.F.1.0.A.0.A.F.7.3.6.9.3.F.B.2.B.4.F.4.9.F.D.6.D.A.7.4.0.4.9...1..I08..+.....7...1*0(...F.i.l.e........s.t.v.s.p.k...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........".w.>....6..+OI.m.@I0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R3.7.8.B.6.D.B.1.6.A.4.1.D.7.F.6.F.1.2.A.D.5.B.B.3.B.3.4.2.D.F.D.9.E.A.0.2.A.8.1...1..Q08..+.....7...1*0(...F.i.l.e........s.t.v.s.p.k...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........7.m.jA...*.;4-...*.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.C.C.A.0.5.0.E

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4530
                                                                                                                                                                                                                                                                  Entropy (8bit):5.531167619033096
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:TMuJlJjPHHXkP9bYxHJswZ4xNzp49RY8MMCuqx:TMuFDHX4yR4xNdezqx
                                                                                                                                                                                                                                                                  MD5:C6F9A3971989361505A22B26F16CBF33
                                                                                                                                                                                                                                                                  SHA1:228877B73EF10A0AF73693FB2B4F49FD6DA74049
                                                                                                                                                                                                                                                                  SHA-256:1D08A49A629D67FDC77E6EC38B90F10A2C7788BDE9EDE15075732DA010FCE8DB
                                                                                                                                                                                                                                                                  SHA-512:B49317454756DD29317838224D2B49A1D4CDB358B0BAE5EFBD6CD7F12CDEE018BF9F3A8D7D1484D64BA158821E3EBDC52D18BD601D999FFB9127A744BD477A3C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[Version]..Signature = "$CHICAGO$"..Class = MEDIA..Provider = %ST%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer=08/26/2021,1.0.1.0..CatalogFile = stvspk.cat....[SourceDisksNames.x86]..222 = "STVSpk Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVSpk Driver Disk","",222,\64bits....[SourceDisksFiles]..stvspk.sys = 222....;;This syntax is only recognized on Windows XP and above- it is needed to install 64-bit drivers on..;;Windows Server 2003 Service Pack 1 and above.....[Manufacturer]..%MfgName% = SplashtopDS, NTAMD64, NTx86....;; For Windows Server 2003 Service Pack 1 and above, a 64-bit OS will not install a driver..;; unless the Manufacturer and Models Sections explicitly show it is a driver for that platform..;; But the individual model section decorations (or lack thereof) work as they always have...;; All of the model sections referred to are undecorated or NT-decorated, hence work on all platforms....[SplashtopDS]..%STVSpk.DeviceDesc%=STVSp

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\uninstall_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):202
                                                                                                                                                                                                                                                                  Entropy (8bit):4.8854882526314825
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajsd94wqJ6dA3OdqA3PMOdyE23PMmfPP07:kWH9dAedNtdyE23rH07
                                                                                                                                                                                                                                                                  MD5:3535AC984A69ED2E778B7F2B77618C94
                                                                                                                                                                                                                                                                  SHA1:3B6B19524DFAABDA5CF5FD2DD476A0108C928676
                                                                                                                                                                                                                                                                  SHA-256:98040E1CF91AB05E0341BAE64F1D8AD29077A5351C586F2507CFF4C41CA80A1C
                                                                                                                                                                                                                                                                  SHA-512:FD92393595D39F6260BB517DF38E82FBAB7BD7A9A79C276DEAFBDC69B123359F3D20C5A5B28AB06EFCB412E64E2AC940FA84FB130EAE9ACC778410119E7BF083
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon.exe remove *STVSpkSimple >> inst.log...\utils\devcon.exe rescan >> inst.log...\utils\DIFxCmd.exe /u stvspk.inf >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\uninstall_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):208
                                                                                                                                                                                                                                                                  Entropy (8bit):4.961978816753448
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajsd94wqJ6dA3OdRLiA3PMOdRLKE23PMmBPP07:kWH9dAedDtd0E239H07
                                                                                                                                                                                                                                                                  MD5:754E73406288B7E24396DE0B02C9767D
                                                                                                                                                                                                                                                                  SHA1:EE115F24C025725D5BC56DAF460CBB25084D1059
                                                                                                                                                                                                                                                                  SHA-256:A2B082F8CF5944558CA68BEEC0290C49A3E4080E3B364A9A64F6CC203DFD2339
                                                                                                                                                                                                                                                                  SHA-512:9C378936BE40F532C0866713417DC0F686F8067EE706AD96DC71BA9614378A9ACF1E481C95E25C0AA0C9E63CC23C237FAAB22E49BD773E138543F27C7F0AEA5E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon64.exe remove *STVSpkSimple >> inst.log...\utils\devcon64.exe rescan >> inst.log...\utils\DIFxCmd64.exe /u stvspk.inf >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10752
                                                                                                                                                                                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):77824
                                                                                                                                                                                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25040
                                                                                                                                                                                                                                                                  Entropy (8bit):5.182836790970066
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:RnmRA8diIqFr2hrkzbBglwb20HsOANRBUBR+uekbnYPLGKw:5183HrkXBhb2CI7BUBUnCtKw
                                                                                                                                                                                                                                                                  MD5:3C0B8DA5253B68665362881787681D04
                                                                                                                                                                                                                                                                  SHA1:8C2925071EBBB1D94B34DBC9B926CC96F3D6674F
                                                                                                                                                                                                                                                                  SHA-256:8DB1AF7E90197353FD346A2A4D60C7EACD506EBD593A9BCA811DC9C5D420E141
                                                                                                                                                                                                                                                                  SHA-512:5ED6163BD09A81D50059B816B3D188DDABA7F032C091CD21205F081CA1B4BB902129A5AA87ADF55B5910B193721226F2E82CC53D9A0DF0D833933F798FCF5471
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!v.!v.!v.(.T.$v.!v.2v.(.R.#v.(.D."v.(.N."v.(.S. v.(.V. v.Rich!v.........PE..d...).9S.........." .....$..."....... ..............................................T........................................................p..<.......X....`.......J..........8....0...............................................0...............................text............ .................. ..h.rdata..<....0.......$..............@..H.data........@.......(..............@....pdata.......`.......<..............@..HINIT....T....p.......>.............. ....rsrc...X............B..............@..B.reloc...............H..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.164676951334965
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:C1XYhWsmdZunYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9/6onc:CBYhWsmdknYPL/p1P6j7rtc
                                                                                                                                                                                                                                                                  MD5:1A2D1119C830079A91FDB0BC96C68E9F
                                                                                                                                                                                                                                                                  SHA1:6DFD2D9E82F5ABF807402E81F837DEA3FBF24861
                                                                                                                                                                                                                                                                  SHA-256:758732573D0360444173A9ADFEBC41E6295262A2E128F4A7DA973138BD05E1A6
                                                                                                                                                                                                                                                                  SHA-512:B8A8F0D970D4ACA797C3AE4F70C32D1068599F1FD802430F75606541F00BCC133B66484DAB0276115E09E39126AC398D54933A7757E4C28EC54FC0E40B869A3C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k..j..k......k......k.....k.....k......k......k.Rich.k.........................PE..d...).9S..........".................dP.......................................p.......R.......................................................P..<....`.......@..$...................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata..$....@......................@..HINIT....@....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18384
                                                                                                                                                                                                                                                                  Entropy (8bit):5.784225074424451
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:KNpdeIDggm1TgXu0HM9CZFuz9ynYPLGKsH:Kp0f1Tg+CM9COZytKU
                                                                                                                                                                                                                                                                  MD5:FFF61014618EB5B63F5CBB7457537577
                                                                                                                                                                                                                                                                  SHA1:E899E392E493F731B900B36FF3C6AD384D35B129
                                                                                                                                                                                                                                                                  SHA-256:764FFF366A21B3D44F3F43BDED347E8BF6ACAEC3F911AEA07555A3D8E26CB407
                                                                                                                                                                                                                                                                  SHA-512:E057FC69EBE9E36A8D4DABD23044229450FA606564F28A566233AB014C7433ED515AC0BAE8427E667164518A92F74803719A1DB0066AF17560423C8E6BB6FA9B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i...h...i.......i.....i.....i.......i.......i.Rich..i.................PE..d...).9S.........." .........:..................................................................................................................<.......P....p.......0..........<....0...............................................0...............................text... ........................... ..h.rdata..\....0......................@..H.data....+...@......................@....pdata.......p......."..............@..HINIT.................$.............. ....rsrc...P............(..............@..B.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.1656019250857135
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:C1XVhWcj2sFnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9SPp94v:CBVhWcj2onYPL/p1P6j7rLv
                                                                                                                                                                                                                                                                  MD5:8A12125138A8F34F9700529363947D5E
                                                                                                                                                                                                                                                                  SHA1:996729B5B9A1E85F3B911911AF675C51549F6D13
                                                                                                                                                                                                                                                                  SHA-256:392811F93E8DC4BD0BAEEF0DEDC6879DB667EAC0BE894BC6FBCF5BBB776AC98F
                                                                                                                                                                                                                                                                  SHA-512:E7AE1C133B9660B791373F1D3BD6765207E6FC1D132687CCE99E267E4945CB9843A47FE53FF0C2A2F20C704F50A8F129514F56675B52FB2C354FC1D829EA62D9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k..j..k......k......k.....k.....k......k......k.Rich.k.........................PE..d...).9S..........".................dP.......................................p..............................................................P..<....`.......@..$...................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata..$....@......................@..HINIT....@....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\install.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):51
                                                                                                                                                                                                                                                                  Entropy (8bit):4.239902792442837
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Eyd/MLVLV5rxk6BzX:EydELVLrqM7
                                                                                                                                                                                                                                                                  MD5:F03B61C1BE8851BF64E2EB97D4A3AF85
                                                                                                                                                                                                                                                                  SHA1:FE502F4ECD1209B3DADA7AC8F4876ED9FB5264E8
                                                                                                                                                                                                                                                                  SHA-256:AF5EFC928B43A1A476BEAFC055B19568EBCEE29EF4CEB211353DD218689F833B
                                                                                                                                                                                                                                                                  SHA-512:D229E472C0FAC83B5B952D368444DDCAC0DB965D033F29AC9EAB8F55D256BC4BFAB0861F21045A6E3B809F5B76AC30917AF321B3DC5F901F982CF477578ABD34
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:utils\devcon.exe install stvideo.inf STVideo_Driver

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\installWin7.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):77
                                                                                                                                                                                                                                                                  Entropy (8bit):4.625480821115634
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:EydKiRgLV5rxk6BzJzIvXYRABAC:EydOLrqMqPYRkAC
                                                                                                                                                                                                                                                                  MD5:70271842A0F3305F9A2922EFE95FBED0
                                                                                                                                                                                                                                                                  SHA1:8B60A48D3F3CE9BF397B586F88087A291DBE3B89
                                                                                                                                                                                                                                                                  SHA-256:A537CF622B5DBAD19587CBC8FE08BBCE8BFE7E49497BECA5784723E876F99415
                                                                                                                                                                                                                                                                  SHA-512:B84A1FE296A36346C9658F1A715114FE5A7518FC1E9B9C7A4D08DDFED760ED15626FCD1751EE361CE2D91FA9B19B75873BAA6ED1BB441BB5170DB50473FC2CD0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:utils\devcon install stvideo.inf STVideo_Driver_WIN7..utils\Mirror2Extend.exe

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\installWin7_64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):79
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7040270721314865
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:EydRFMyEJLV5rxk6BzJzIvXYRABAC:EydRFYJLrqMqPYRkAC
                                                                                                                                                                                                                                                                  MD5:C8D6ACDAF26E7B8FDAF2888E0CAE6275
                                                                                                                                                                                                                                                                  SHA1:B46AF328CF18FA3687AE4D9EE06780C21A12B7D9
                                                                                                                                                                                                                                                                  SHA-256:DE19F496F5932135FB25AB04EEE9E5A923728DDFBE13499058530239D890240D
                                                                                                                                                                                                                                                                  SHA-512:79CF0BEDCB07C72B6FFF243F7B6D90116AF1E558290E873863C5BE6994ECB6A7E4D4A0ED33CB05D0AC3699CD2328B3E4613868DECB77D7B0BBA6CF49AD809067
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:utils\devcon64 install stvideo.inf STVideo_Driver_WIN7..utils\Mirror2Extend.exe

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):5.364902287777804
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:NpXpb9ygWK86AclLjQ/WzRf8aMKnqPndtQrcaceJe0uqmnYe+PjPGyz/wa4/h:59yD6nlLoWB8a5Od+zcuebZnYPLGK5a
                                                                                                                                                                                                                                                                  MD5:FD3381A69042E1B01266549549845449
                                                                                                                                                                                                                                                                  SHA1:C6D8D4BF754DA24C0C9B39DFF0B336120BF3829A
                                                                                                                                                                                                                                                                  SHA-256:86688C2EAFB525E2E0E6723907E15567E426670C6B9934E129218A45F47B117A
                                                                                                                                                                                                                                                                  SHA-512:E9CEBA750A44248860A5980475D41358C0E0B78EF65BF823995572AA091804D3AF836A2A456A8C4A394AE57AF2B8589DFBF561D1007A3A600136A0746EFFB479
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w....y...y...y...x...y..n..y..n....y..n..y..n..y.Rich..y.........PE..L...'.9S...........!.........................0......................................s........................................`..<....p..X............:..........H...`0...............................................0..T............................text...<........................... ..h.rdata.......0......................@..H.data........@......................@...INIT.........`.......0.............. ....rsrc...X....p.......2..............@..B.reloc...............8..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.040113518412221
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:Dq8YdZrnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9NH7:Dqjd9nYPL/p1P6j7rd7
                                                                                                                                                                                                                                                                  MD5:3C1EBF4DFC9685F1D584F0D6F421391C
                                                                                                                                                                                                                                                                  SHA1:99FB5FD1A755AC038818776C6FCB964FD027334F
                                                                                                                                                                                                                                                                  SHA-256:237BC4CD7AC38B503EF2D319C484EEAE07562AB09629C218B5C5BEEB8D5A8586
                                                                                                                                                                                                                                                                  SHA-512:84C5DCFBAEA40091F7D1D5003414FFA8926B3CEFFADD08071297C5F5A6929557D8EF36BE22181431CA56E773669CD1F15DCFA16494C935EF0C15707102A4A73F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....................................................Rich....................PE..L...'.9S............................>@....... ...............................p..............................................P@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11728
                                                                                                                                                                                                                                                                  Entropy (8bit):6.807178448617145
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:KHpo0tYsmKZWZ3/ECwTnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lfr9mOsPkHsV:Pe+jwTnYPL/p1P6j7TmOfHsV
                                                                                                                                                                                                                                                                  MD5:36F961C6308CB0B919E659EB1B738AFA
                                                                                                                                                                                                                                                                  SHA1:FC795A8FD24CBB3267474D99922CFF1BEE5F242D
                                                                                                                                                                                                                                                                  SHA-256:4212786F0C3D5A00502A5926DE4E111BC9ABB84A4953C93DA6E17DCE4EC902E2
                                                                                                                                                                                                                                                                  SHA-512:923A0C4B1454C4DEDA5AFD423B34D51FD9AECBBFC610006FC062CF031C81D4A2FDC94098E9DCA4FC16B25FE0766ECDEC12F450E8E4BC701F17832D3715F70C91
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.-...*.H........-.0.-....1.0...+......0..]..+.....7.....N0..J0...+.....7........PW3.@.<...`.c..140331064154Z0...+.....7.....0...0....R1.5.4.3.1.9.0.6.C.F.3.8.F.8.6.0.1.1.8.5.5.2.3.8.2.B.A.9.6.B.B.D.7.7.6.A.5.7.3.1...1..c0:..+.....7...1,0*...F.i.l.e........s.t.v.i.d.e.o...d.l.l...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........C...8.`..R8+.k.wjW10....R2.9.7.2.3.F.C.3.1.1.0.6.4.6.4.9.3.F.8.2.4.3.9.D.A.8.1.C.0.A.B.A.8.7.B.9.6.3.1.7...1..e0<..+.....7...1.0,...F.i.l.e........s.t.m.i.r.r.o.r...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15824
                                                                                                                                                                                                                                                                  Entropy (8bit):6.022305855965037
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:cdot9XqRolBJB3gP9tRHY8QjSec95NLnYe+PjPGyz/wOgjJ5Q7:cduaCvJQY8QjSz9vnYPLGKGI
                                                                                                                                                                                                                                                                  MD5:AF512AA3612DEA5C2E2FAE866898EED5
                                                                                                                                                                                                                                                                  SHA1:803810F8648832AB81DDF3B3C5862077EF6AFD4F
                                                                                                                                                                                                                                                                  SHA-256:FBBEE200CBD1663A0F6D6F9FAD4502004DD4922C2257CC8AF6CBFB4DE1CBDB12
                                                                                                                                                                                                                                                                  SHA-512:857D6F4F13ADACE91E7C90B6CADF601C87F3D98C9916C3D6079B153A48B7A9F16A5DB79B92D9E087F1646FE12DD65890292475D2D4DD0C823354EAA0B4BA5939
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)...)...)...)....... ....... ...+... .../... ...(... ...(...Rich)...........PE..L...'.9S...........!.........6............... ...............................................................................`..<....p..P............&..............p ............................................... ..h............................text............................... ..h.rdata....... ......................@..H.data....)...0......................@...INIT....H....`...................... ....rsrc...P....p......................@..B.reloc...............$..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4694
                                                                                                                                                                                                                                                                  Entropy (8bit):5.249583632564649
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:E+5iOJLGq6BFPmfsLkfsof96zdUyLiypkTsTetTtqBlFL+WC:E+5iOJLGqsFPmfsLkfs86zdUyLiypkAU
                                                                                                                                                                                                                                                                  MD5:BA4F5D984CB8611E64BFCEDE9C3B8E93
                                                                                                                                                                                                                                                                  SHA1:AC67AA1C6C892FC04FC740647815F74C6671DD34
                                                                                                                                                                                                                                                                  SHA-256:A31E1D6AE465C93B847D47BCECAE94E24B918BFF73DD7D9B31E6789322591DDD
                                                                                                                                                                                                                                                                  SHA-512:16F3528FA573C612A0CF1BB772FB3C3DE2C4EBA619621E33DE0337D0954DE115BA39FAD0D7FD9816849E2BBC430EB84AAA802AA9F861F0B94EC890C9E19BCEBD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:; stvideo.inf..;..; Installation file (.inf) for the splashtop device...;..; (c) Copyright 2011-2014 Splashtop drivers ..;....[Version]..Signature="$CHICAGO$"..Provider=%splashtop%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=03/31/2014,1.0.2.0..CatalogFile="stvideo.cat"....[SourceDisksNames]..99 = %DiskId%,,,....[SourceDisksNames.amd64]..99 = %DiskId%,,,\64bits....[SourceDisksFiles]..stvideo.dll = 99..stmirror.dll = 99..stvideo.sys = 99..stmirror.sys = 99....[DestinationDirs]..DefaultDestDir = 11..stvideo.Miniport = 12..stvideo.Display = 11..stmirror.Display = 11..stmirror.Miniport = 12....[Manufacturer]..%splashtop% = stvideo_Mfg, NTx86, NTamd64....[stvideo_Mfg.NTx86]..%splashtop.DeviceDesc% = stvideo, STVideo_Driver..%splashtop.DeviceDesc% = stvideo_win7, STVideo_Driver_Win7..%splashtop.MirrorDeviceDesc% = stmirror, STMirror_Driver....[stvideo_Mfg.NTamd64]..%splashtop.DeviceDesc% = stvideo, STVideo_Driver..%splashtop.DeviceDesc% = stvi

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):12008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.040343349200973
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:Ddg2s4nYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9xu5eF:Di2hnYPL/p1P6j7rxbF
                                                                                                                                                                                                                                                                  MD5:46DF2F9B00DA96B8603F472EC4BEB416
                                                                                                                                                                                                                                                                  SHA1:AFB25F23A849DAFECA73DFA6B0DF428619F6224E
                                                                                                                                                                                                                                                                  SHA-256:8196CA7ED6BF904E00E2A2955AC8288801AA3983384268D5DF85F52AE10FC974
                                                                                                                                                                                                                                                                  SHA-512:0284D0D1A025AED097C375343018DF023A7058CF741BFDE9D97DC647548BD18C05B068268818E6542954BDBB1FDF0B992277C565865A2084DF9BFA2E33A9FBDC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....................................................Rich....................PE..L...'.9S............................>@....... ...............................p.............................................P@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):57856
                                                                                                                                                                                                                                                                  Entropy (8bit):6.214858942297855
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:T6pztvRXL6L1T9mV0OTpJoNGDP5t2IhmX+o:T4tmL1EXCNGVt2IhmX+o
                                                                                                                                                                                                                                                                  MD5:3B83E955AB0C3A815E0ED69EB6407C52
                                                                                                                                                                                                                                                                  SHA1:995657C40BC9A28D36AFEA59FE8549B916F81B95
                                                                                                                                                                                                                                                                  SHA-256:0C2EBB467661D404BCA91A080CCA0E5836797EFC474B62A3D22FB3419E3C8B52
                                                                                                                                                                                                                                                                  SHA-512:1943EB1AFE81116657CBB33E87C7683CCF6D9EF22F59E5CEE840705E486A176DB5A7D67114A46ECDFC47A1B351F94DDEC72A05BDFB29CA6709CC696D877FDEBA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........X..SX..SX..SQ..Sz..SQ..SH..SQ..S;..SQ..S_..SX..S...SQ..SZ..SQ..SY..SRichX..S........PE..L.....M.....................D....................@..........................0......|.....@.................................T...P............................ ..@...p...................................@...............(............................text...4........................... ..`.rdata... ......."..................@..@.data....+..........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):77824
                                                                                                                                                                                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):542216
                                                                                                                                                                                                                                                                  Entropy (8bit):6.466753301083591
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:TXL84WA5C/KIcgHrlti0XoppdpRFT/FKf51PnofX09v:TXL84lopcgRti9FT/FKvnuX4v
                                                                                                                                                                                                                                                                  MD5:BB241F864550BFA8AD2346C65E0CE41C
                                                                                                                                                                                                                                                                  SHA1:378769EE7D6CA44554103E6A23F1BD20BB9E2564
                                                                                                                                                                                                                                                                  SHA-256:58C4394BBE98BA2B9344209CDC98F5DB854A385ABEB4C74BD111B0ED661D1D61
                                                                                                                                                                                                                                                                  SHA-512:68CF0A4CC802A10C218B3155D427DA5DFB6EDEA7671A41D016A5844011896C84490123E008CDAC2A4C5C60150B777F6742BA47A95050DFC1DBDEE20E332765EC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.gS..4S..4S..4.`.5Y..4.`.5...4.`.5I..4.l.5C..4.l.5Y..4.l.5...4.`.5B..4S..4...4Gm.5Y..4Gmh4R..4S..4R..4Gm.5R..4RichS..4........PE..d......e.........."....$.....B......p".........@....................................9.....`.................................................d........p...........A.......(......D....&..p....................'..(....%..@............................................text............................... ..`.rdata.............................@..@.data....5..........................@....pdata...A.......B..................@..@_RDATA..\....`......................@..@.rsrc........p......................@..@.reloc..D...........................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2816416
                                                                                                                                                                                                                                                                  Entropy (8bit):7.82236063017737
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:wVaHMTDMmyUZe4RF+A8LO9Us1BXEne0Nxx4kta2R74IIjvmIFe5mxoDpuBw1s31n:wVTuERKy9v1BXEne0Nxx4kta2V4IIjvZ
                                                                                                                                                                                                                                                                  MD5:DF362B11095D0F59ECF9DDC0DAF61B12
                                                                                                                                                                                                                                                                  SHA1:6BB3B490F048FD1306D714651F6C2C488BC318D9
                                                                                                                                                                                                                                                                  SHA-256:BAFA22DA91BF2B44E4EFBBDFB8D7FB64B6F8A04569F2737EA49C384CDAD193F7
                                                                                                                                                                                                                                                                  SHA-512:0A03BBF0DEF16E78556041DAC5EF003957384C37F07B08EBC0917921DC30189C2E3CFF7F91F369BD7195A8EE3E84D194113F0D889897C5679DEA263F27821FFE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...2..e.........." ......*...... ..0.I..0....................................J.....v.+...`...........................................I.\.....I.<.....I...... G.......*..-..,.I.............................(.I.(...................................................UPX0..... ..............................UPX1......*..0....*.................@....rsrc.........I.......*.............@...3.96.UPX!.$..c-rX...OI>H...*...G.I..l....H....F........@.AWAVATVWUSH.. A..|.........................f.....{...... H.5.....}..g1..H..>t.(...%.....?..v......=u.f=.....<......"g.|.....w..H....M..I..eh.%00.....p..P.7...t$H9.....-...=.uv.T...5!..u......f....,...>.u....H........#.a.2...&/.d......[..a.D...R....t.L..A.....{..O......E1....D.....m. []_^A\A._.a.y(.p...f.._....Uc(L.9^A..1>l..t....y..v.....z....G..w**.....$(...SW...)...,...."[\...=...2s.....E....F1...&;..v....y.wp.....t#.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):465928
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6188868975232875
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:nmELSchToqY92QUOMIsV7iPSdutxml26jmlE662:bnAUF1pAb
                                                                                                                                                                                                                                                                  MD5:12A3EF8EF5D70994B9500FA0801F8903
                                                                                                                                                                                                                                                                  SHA1:C06C2AC1CC4B7D50DDFD36E32CDB2274618294B7
                                                                                                                                                                                                                                                                  SHA-256:520C5A35F943B06888A96339EB2B8B5BEEB70046B5835DC0190AF77B4E0824FC
                                                                                                                                                                                                                                                                  SHA-512:EF4AE07C1F2A636D57F5FA64505CE8CA581FAFD450DAC9FFAED69B84259BC21A3632E401577FA996C5C699352B07325CA7CB4CF82FD46E3C98E506E08B3125E0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Lyqa...2...2...2.j.3...2.j.3...2.j.3...2.f.3...2.f.3...2.f.3S..2.j.3...2...2...2.g.3...2.g.2...2...2...2.g.3...2Rich...2........PE..L......e...............$.X..........7........p....@..........................@......B ....@.................................4............................(......t8...P..p....................Q...... P..@............p..8............................text....V.......X.................. ..`.rdata...A...p...B...\..............@..@.data....%..........................@....rsrc...............................@..@.reloc..t8.......:..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2581408
                                                                                                                                                                                                                                                                  Entropy (8bit):7.8335475472495375
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:bGF1tZkcS3fy3i9Ov8l6/kKkN6PLsCzvDxg7abakf35UXAtuwHgLYV1G4DW1L6Ky:bs1kcS3fy3pv8l6/kKqiLpPuabakf35n
                                                                                                                                                                                                                                                                  MD5:348AF13556E619DA13459047DAB625B9
                                                                                                                                                                                                                                                                  SHA1:6F3CB9022C715AFC6156A44A73D9D10147AB6CA4
                                                                                                                                                                                                                                                                  SHA-256:75BDBB78A7CEE839496A8E643E2E631D04E243C4B466F3AF7FCD8C8A01288807
                                                                                                                                                                                                                                                                  SHA-512:344C43F62910CF5D1B31AA3A17E0A581C438055D49DC59071574F3D1A500C0945AFE89C2AB54045140B4EB79221B5A7E0814056C5600055FD3A0D458436D9CC0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...[..e...........!.....0'......."...J..."...J.............................. J.....+-(...@......................... .J.\.....J.......J..............6'..-..|.J...............................J.....................................................UPX0......".............................UPX1.....0'..."..*'.................@....rsrc.........J......,'.............@...3.96.UPX!.....'.tl..8..I..''...H.&...o...h.>e....`....f.USWV....D$........tz....M".R...-..........5..p..a1....>t...."}..........h.....9u.=s.Z.^.......>..6...........nd...h.v...k../...t 9.t....{3m.7.u.-.E.n..~.u.j..."L.".}u......2e.J ....PQ.......k.PC..$...z........X.IL.6t......t$.j.....C...1...........^_[]...V.L$.TJ...$......a...P...^^Jf..4...?......UX...._/............F.^|.<.w&.VW...v.t...v%.!."LqO...."..9...,...WJ.d.....)Rj.s...W.h.G]....qA..<$G...C*.+t..G.#..@?.1?.....x7....$./...h..".ul......

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3116552
                                                                                                                                                                                                                                                                  Entropy (8bit):6.392745373577217
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:bPZ5TNGpStg+wTMz3Q8giStLONyAppqk8W+OcVpcL0865eGzYPcL1l:gtMziR8k1DcLv6xL1l
                                                                                                                                                                                                                                                                  MD5:9CA925B6A0CFA7F8B0222233B3494D05
                                                                                                                                                                                                                                                                  SHA1:20EF67FDEA63178B92D2BF4755C02687DC9D9022
                                                                                                                                                                                                                                                                  SHA-256:5C66BE5F5D9A8CD7CBD5F31EF3AAFE7A422186E9B21AC564B58362508BF0583A
                                                                                                                                                                                                                                                                  SHA-512:FBF69CAB559363EE0C16E4F04A7A3BED101B1B7D96383D2E092DE6EED505522CC7D1FEA1900FB0A63293BDEE34A5006583A1540D61043439CCE4EB12FF505879
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......)r.3m..`m..`m..`.a.aa..`.a.a...`.a.av..`.g.ao..`"o.a|..`"o.ag..`"o.a#..`.a.a`..`m..`...`.o.ae..`.o.al..`.o{`l..`m..`l..`.o.al..`Richm..`........................PE..d...)..d.........." ...".:...`......l^......................................../.....M.0...`..........................................,.X...(.,......0/.h....P-......f/..(...@/.H... .*.p.....................*.(.....*.@............P...............................text...|8.......:.................. ..`.rdata..ZM...P...N...>..............@..@.data........,..p....,.............@....pdata.......P-.......,.............@..@_RDATA..\.... /.....................@..@.rsrc...h....0/.....................@..@.reloc..H....@/.....................@..B........................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32264
                                                                                                                                                                                                                                                                  Entropy (8bit):6.549378989734658
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3mFO3OkMgk4tx/knVGuOA0R2dEpYiTPxchfU49:3SO3trenVODR2W7TPxchfUg
                                                                                                                                                                                                                                                                  MD5:48C3A4A2FA37A0BFC5BD90874A63AF44
                                                                                                                                                                                                                                                                  SHA1:27A3FBF2603B36DD972401CF8B976FBC282A2C3D
                                                                                                                                                                                                                                                                  SHA-256:3822BE932AED0A6E5C5A9F3CD80440AD96C8248F187F67324221A58AF5276296
                                                                                                                                                                                                                                                                  SHA-512:F261A54AF5B0204B8018B5844CDDA6BDC1F399AB3375BF171B8E7081A9BCA583D061F7182EA140E5E2A9E42916C78C2C7256AF516B15EC16AD51AD8ADFBC57EA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:..:..:..u[..:..BX..:..BN..:..BI..:..B^..:..:..:..BG..:..BY..:..B\..:.Rich.:.........PE..d......d.........."......*...(......,0.........@....................................<.....@..................................................L..d.......l....p..D....V...(......L....B...............................................@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........`.......D..............@....pdata..D....p.......F..............@..@.rsrc...l............L..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2403848
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7207202597413875
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:FgGdcX0zBXVSNi2z4xw4G7NyzRP1ikMHeBNWHr:F4X2ikxwTNsi7
                                                                                                                                                                                                                                                                  MD5:4CF09B45FEE4FD22DC22B0AF706E4D80
                                                                                                                                                                                                                                                                  SHA1:86A6E08A3F7C315F1FDE9A9499EE91EE6A0F1407
                                                                                                                                                                                                                                                                  SHA-256:4D925CF495ED97B7B73F7A93B01F7C529B55EB4581479120D235DC9263D06A3D
                                                                                                                                                                                                                                                                  SHA-512:FD4B8E15B5A2C0B5045F039E2498D1CEFA5BB4913E302C56E6B84526279D36378D87E9269435B5AF644BA019CF056BF47E818F192FDD9D35F1AC8CF8D6DDD531
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.q8.."8.."8.."...#*.."...#..."...#/.."...#:.."w..#).."w..#!.."w..#s.."...#5.."8.."..."...#0.."...#9.."..%"9.."8.M"9.."...#9.."Rich8.."........................PE..L......d...........!...".............W........................................$......$...@...........................".X...8."......`#.h.............$..(...p#..o....".p...................@."......".@............................................text............................... ..`.rdata..............................@..@.data...pr...."..N....".............@....rsrc...h....`#.......#.............@..@.reloc...o...p#..p....#.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):29192
                                                                                                                                                                                                                                                                  Entropy (8bit):6.708144938787245
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:EJVI3R0H/aWeIUhwNslRPbJyRefvcO+mVMWehLNyb8E9VF6IYiTPxcbdGgktyVEF:EJKMC8NsLPtxcO+AMPlEpYiTPxchOF
                                                                                                                                                                                                                                                                  MD5:A958758134E6D61D45BA0C4968380A8B
                                                                                                                                                                                                                                                                  SHA1:F40142518B13782CD2A06844CD8147B337E459DA
                                                                                                                                                                                                                                                                  SHA-256:30FD28720C7235F45140ED0642A4C71FF0DB1E93362D5694D87026DDA14992F9
                                                                                                                                                                                                                                                                  SHA-512:1645C335C36AAC6A6BD2A74E41F7176776E70B696705F491CA8CCD6E99A54C3ECBC52E8BA081E9B0E57F5C08E0546D5302A7D28D72C350EC08446D54457360D1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U(...I...I...I...Z..I...1Y..I...1O..I...1H..I...1_..I...I..sI...1F..I...1X..I...1]..I..Rich.I..........................PE..L......d.................&... .......+.......@....@.......................................@..................................F..d....`..l............J...(...p......pA...............................C..@............@..H............................text...K$.......&.................. ..`.rdata.......@.......*..............@..@.data...0....P.......:..............@....rsrc...l....`.......<..............@..@.reloc..4....p.......D..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):107312
                                                                                                                                                                                                                                                                  Entropy (8bit):6.447984928648711
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:BTeWLZrzci/8dbquofWnRADp2y6hX2hbTYzLhrhkphDZ52DBXN+vl/DFS:BCWFfqbqaGnGzLhr82DBXN+v2
                                                                                                                                                                                                                                                                  MD5:BCEF2D42768A816AF7CD60391CBA3C0E
                                                                                                                                                                                                                                                                  SHA1:E17EC512C595318DC5F282CB73B71CFCB0B52A7E
                                                                                                                                                                                                                                                                  SHA-256:0EA236D80EFFA865F73E728D06790AB5583660EC915C979E8D96CAF692B6FE80
                                                                                                                                                                                                                                                                  SHA-512:389B36A464C417AAAE16A229F004A01D4F1EBC8F3D8E8A4D12B5AA82D9BA5EDE4A139B3999BAF1D9BF862D3B4BD5A6A0D89CC0A3561E8CA15EF19AA771DEE475
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r...r...r...{...f...{.......{...D...{...}...r.......{...p...l...s...{...s...Richr...........PE..L......U.....................l.......W.......0....@..................................0....@..................................\..........................0............2..............................@N..@............0...............................text............................... ..`.rdata...6...0...8..................@..@.data....-...p.......V..............@....rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):76752
                                                                                                                                                                                                                                                                  Entropy (8bit):6.281018016209332
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:TMM1hIpiOe7unK1L0RW7Z4tk05ZpJBkkmN6/2EvK6k:TMM/hOeSK1DZ4tk0/B7OEvK6k
                                                                                                                                                                                                                                                                  MD5:8CED2B2F0E61A1BA20D63B24A41E1234
                                                                                                                                                                                                                                                                  SHA1:9731E2756EAB7A902DA1A72C0F1DC008425037C5
                                                                                                                                                                                                                                                                  SHA-256:44DB8AF61B92B39C805B136D2FB608D9D9082F051DDBD9AEE9E3A760B34EFF13
                                                                                                                                                                                                                                                                  SHA-512:087596DC595B786D74087BCEEA2F1A9B46F4EADCB1162201F32CB05B9BD207520C617AD849CD52788B5C2E579CF72B2B1BB7A5265D10B450B5E6FB8D17D1C07B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].mt...'...'...'v..'=..'v..'...'v..'q..'>+x'...'...'...'...'r..'v..'...'v..'...'v..'...'Rich...'........PE..L.....jP...........!................VE.......................................`...........@.........................`...........d............................@..P.......................................@...............t............................text...'........................... ..`.rdata...8.......:..................@..@.data... 1..........................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):91432
                                                                                                                                                                                                                                                                  Entropy (8bit):6.020228136904558
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:5UBy2mcawf1jBALblIkWHgMCtd+DIO6iUY:SyNcRjyLKGMCtd+DtDUY
                                                                                                                                                                                                                                                                  MD5:B510DA2C973FEB05803F124D0507D3A4
                                                                                                                                                                                                                                                                  SHA1:8F1344CEF1DB998698E1467AD22E30ED3BCE584B
                                                                                                                                                                                                                                                                  SHA-256:A39DEBD7558B4E769AC277A7D05B532318AB7774490310F76BDFE9E55240D9CA
                                                                                                                                                                                                                                                                  SHA-512:AFC90D52B19B5E8186C62F5F1B720AB68EB34A997D3099824C7396FCC74D1ED76063BA1541FAAD999806BCFCC375909636E48EF36957157AAD766256B2999E6A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7.B.s.,.s.,.s.,.z...b.,.z...K.,.z.....,.z...`.,.s.-...,.z...w.,.m...r.,.z...r.,.Richs.,.................PE..L....^.R............................@9............@..................................?....@.....................................x....0..x;...........L..(....p..X.......................................@...............x............................text...7........................... ..`.rdata..N0.......2..................@..@.data...............................@....rsrc...x;...0...<..................@..@.reloc..z....p.......2..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):170960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.545608024132094
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:k4UWlA7/ZJoE1s76gv/vKnGStqzWTBflx+FOGqK1:PY7/3s76ginGS4zWTBQv
                                                                                                                                                                                                                                                                  MD5:27CA510E2DDFE647F742F98C2EC6A7F7
                                                                                                                                                                                                                                                                  SHA1:1F422E39770D9565460F881D078D8C335B678255
                                                                                                                                                                                                                                                                  SHA-256:41BA7791F830EFBDF5F942A0B6DCF98C6A7D37B7DC06EED21F86AFBED0215C9A
                                                                                                                                                                                                                                                                  SHA-512:ACBF7A23FB033ADB314466324AF6D1C6F543F6FADB6439B3E80F35467432754396667C9CA511A4D8AC3178BB51CD61EA3D94755436EFA9231EA362282C5FA2E4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9..Kv4..9...A7..9...A!..9...A&..9...A1..9...9...9...A(..9...A0..9...k6..9...A3..9..Rich.9..........PE..L...8-,Q...........!................L3...............................................h....@.........................@[......(S..<.......|.......................0....................................G..@...............l............................text............................... ..`.rdata...k.......l..................@..@.data...87...`.......J..............@....rsrc...|............b..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):103936
                                                                                                                                                                                                                                                                  Entropy (8bit):6.507703999296599
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:EaNGKlZIYEbXAiOuvw2sk6SDroltixDxnJf8:EUGTFj8uI2IfIxnq
                                                                                                                                                                                                                                                                  MD5:394B38315694C2F44E9AA9451C9BF2F9
                                                                                                                                                                                                                                                                  SHA1:E05BD08996AC48D79244B8A96D18478F957A70DA
                                                                                                                                                                                                                                                                  SHA-256:E5387D1B2972A589DDEAE8E7C4DBEE19F6F88F67C33902343CCCB1C0E4A92FD8
                                                                                                                                                                                                                                                                  SHA-512:6A4DDB8641F145E4B4249A0E86EBF0D838BFDE48AD4DA3B39C16626EE4060013CBAE817933B4532C022A13B197746600A5A06011DB1F60C1BDA55E4765121FB1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}..l~...}..lx.{.}.....}..~...}..y...}..x...}..ly...}..l|...}...|.?.}...t...}...}...}.......}......}.......}.Rich..}.................PE..L....<.g...........!...)..................................................................@.........................pQ...... R..P.......x............n...(...........A..p...................@B.......A..@...............l............................text............................... ..`.rdata..Zk.......l..................@..@.data........`.......J..............@....rsrc...x............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2366976
                                                                                                                                                                                                                                                                  Entropy (8bit):6.76682262643859
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:YJAPT2mLkbHKnrM8KWYJmxzAw/L31N0rjrPGVn92MyukGrpWsnlLHmsMxHlPww1Q:YGb2mLkbHKnrM8qJmxzAw/L0rnGZyOc4
                                                                                                                                                                                                                                                                  MD5:F46304F40914BDA59A00A18C420761E5
                                                                                                                                                                                                                                                                  SHA1:6B67E5B84822D9B1E240DC8D07B3741B51C94E4C
                                                                                                                                                                                                                                                                  SHA-256:F266591038B49C787C793FAA41015822F9E6437EAE4A7369D51A31728BFABE74
                                                                                                                                                                                                                                                                  SHA-512:2C33EC66847F1A5D8FE9E9E0838910E2FE2E436DDBBA7E4A56813E459E9DCEDE778B831FE9F41B953BC87439F43B716353CCAD3D681C2C18572074C91EA57C07
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........S2S.2\..2\..2\..@_..2\..@Y.!2\...X..2\..J...2\....2\.._..2\..X..2\..Y..2\..@X..2\..@Z..2\..@]..2\..2]..3\...U..2\......2\..2...2\...^..2\.Rich.2\.........PE..L....?.g...............).....H......;.............@..........................@$......1$...@...................................!.T.....".P.............#..(...."..u......p...............................@.....................!.`....................text...|........................... ..`.rdata..j>.......@..................@..@.data...<.... "..n....".............@....rsrc...P....."......z".............@..@.reloc...u...."..v....".............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2843136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.540969680142758
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:aKNKKqgp2eVqO3S4oZmb++KyFCiicqlc4XXD1TmRll1kHWV8/zHzJU:aKYKh/VqOBay++hFCinqlc4XXDcRbSW1
                                                                                                                                                                                                                                                                  MD5:735373F7DC558D52F39EB2513DD4C10A
                                                                                                                                                                                                                                                                  SHA1:5CE1B5E7346CF9E86A68D0B95050BF2E7D634F27
                                                                                                                                                                                                                                                                  SHA-256:52075CBAC339A539C75720E774CF52DF81C5D3A63223281533A402FA6FA90009
                                                                                                                                                                                                                                                                  SHA-512:5C695CB78DE2C77C817E845B2C0E4A1018999A2B1E3E4840DD85EED07EA700155CA29838525662082A262A398558FE53DDAF3130B432D5EB3DFAA887C68DDA04
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).^.H...H...H...:...H...:...H...:...H...:...H...:...H...H..iK......H......H.....TI...0?..H......H....C..H...H+..H......H..Rich.H..........PE..L...J?.g...............)............z.............@...........................+.....I.+...@...................................!.......".............:+..(...`).la.. ...p...........................`...@...............L............................text............................... ..`.rdata..~4.......6..................@..@.data...d.....!..n....!.............@....rsrc........"......2".............@..@.reloc..la...`)..b....(.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):530944
                                                                                                                                                                                                                                                                  Entropy (8bit):5.641056197847852
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:XFsO87fqoGW3PX2WUZixCheYRnRoFRygiCSWiU4/+kwltmdfC:VsLGoGW3mRoFPVQ+kw4C
                                                                                                                                                                                                                                                                  MD5:C026299F6C9A27554298FC4CEB24FDCD
                                                                                                                                                                                                                                                                  SHA1:DC6B4F9C686BEBFE92BBECE401E5ADB9E2BCB808
                                                                                                                                                                                                                                                                  SHA-256:73663C75C7E750535081FCE60163BF14AB5D7C7896D0A4F1EA908C8168DEB463
                                                                                                                                                                                                                                                                  SHA-512:E9DA9E7AD5D36D4A2A2B61034996D89FE096FB9DA12320E26C312276B14CECE8573A96851B2B741C4AA989874A7699543F6A55533A5929C89493267E68FCB876
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.^.#.0G#.0G#.0G..3F(.0G..5F..0G3#3F4.0G3#4F7.0G3#5Fp.0G..4F;.0G..1F..0G#.1G..0Gh"9F6.0Gh".G".0G#..G".0Gh"2F".0GRich#.0G........PE..L...6=.g...............)............P.............@..........................0............@.................................<...........(................(.......(......p...............................@...............,............................text............................... ..`.rdata..T...........................@..@.data...X#..........................@....rsrc...(...........................@..@.reloc...(.......*..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2857472
                                                                                                                                                                                                                                                                  Entropy (8bit):6.527509810041657
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:4eyS1S2t02IzwZMSQlQpES2X4N91O90h6bcU8qR2PWy71kHWj7sijpxY:4e/S2a2I2DpESC4r1s0h6bcU8qR2OgS7
                                                                                                                                                                                                                                                                  MD5:213A56B9AFE2675592116DAF60195A43
                                                                                                                                                                                                                                                                  SHA1:D1D393C6197AB2D2FC9B1BB7CA835F919CF88E17
                                                                                                                                                                                                                                                                  SHA-256:78E85CCB1963D217E08E87A7C9080A5949251A2E3EC83F97A7CDF132F38B4AB1
                                                                                                                                                                                                                                                                  SHA-512:83C28D95B703915F7841888AD6C2BA6AB9B2DC1700E618FE1813795BC1462BFCB4965ADFFBB2C824CAE789F9422302D3F514A745BEF72558C66F666849918962
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.-C4.C.4.C.4.C...@.(.C...G...C...F..C...E.5.C...B...C.4.B...C.$0@...C.$0G.!.C.$0F...C..1J...C..1..5.C.4...5.C..1A.5.C.Rich4.C.........................PE..L...W?.g...............).T...t.......K.......p....@...........................,......y,...@.................................<.!......0"..d...........r+..(....)..^...,..p....................,......P+..@............p...............................text....S.......T.................. ..`.rdata..N....p.......X..............@..@.data........`!..l...@!.............@....rsrc....d...0"..f....!.............@..@.reloc...^....)..`....).............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2856448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6580102163481385
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:TerAnAgEpVQaJKjUn9BvaQPothT86TrcHkroFKPcfoxJmd87ytDWNZe6:arAnhmVQaQ0fothI6TrGkroFKPcfoxJd
                                                                                                                                                                                                                                                                  MD5:DF313FF4BD970EC0EF608DD3A53D12E0
                                                                                                                                                                                                                                                                  SHA1:BF0D9CC6D6289703CFEE7CB0107042725D3B2F36
                                                                                                                                                                                                                                                                  SHA-256:F05D320CF9E438D24DCC3A9E47595B88FCC15AF7C5C9D52DDD05983846EA72A9
                                                                                                                                                                                                                                                                  SHA-512:F6FD73101095381C0F18E78D8ECEC614664C59037408E213332D67087FAEB07760D5B8F45C32FD630E430222FBFB0C5D06D1F26E9B179E56B43256C6FD4FF858
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-c..L._.L._.L._*>.^.L._L..^.L._n..^.L._*>.^.L._*>.^!L._*>.^.L._*>.^.L._.L._LO._...^.L._...^.L._...^oM._...^.L._..._.L._.L._.L._...^.L._Rich.L._........PE..L....>.g...............).....R....................@...........................,......+...@.................................._!......."..............n+..(....)..f.. k..p....................k......`j..@............................................text............................... ..`.rdata..L...........................@..@.data.........!..l....!.............@....rsrc.........".......!.............@..@.reloc...f....)..h....).............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):127488
                                                                                                                                                                                                                                                                  Entropy (8bit):6.663352275525587
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:2e+t58tCCtFHqvUPPTe3iiWfFBQGy+bpyF3/7g9krLmr:StWHqvUHTKiTfFBQG6Pskrk
                                                                                                                                                                                                                                                                  MD5:0A03D00D23A498362506A0507690694A
                                                                                                                                                                                                                                                                  SHA1:935DAE9F31A2F757E759DFB401BEBB2618CDF995
                                                                                                                                                                                                                                                                  SHA-256:3741E191500A0614DA4C86BBD3EC651764E015374876DB7095EEE3AFE3356F48
                                                                                                                                                                                                                                                                  SHA-512:EDE868FD6FCDE0052263A405119E72A5DB98EB5888219F294C218E6CE3246C001B9D4B72253A78DB45E06CFA979071A5BCDADF793AF593DB971801317E014C32
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3Al.w ..w ..w ..R..f ..R... ..R..a ..g...d ..g...g ..g...h ..R..t ..w ..' ..<...s ..<...v ..<...v ..w ..v ..<...v ..Richw ..........................PE..L....=.g...........!...).....................@......................................A.....@....................................(........................(......p...(...p...........................h...@............@...............................text...,,.......................... ..`.rdata...u...@...v...2..............@..@.data...............................@....rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2856448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.657996276797265
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:ZerAnAgEpVQaJKjUn9BvaQPothT86TrcHkroFKPcfoxJmd87ytDWNZeJ:grAnhmVQaQ0fothI6TrGkroFKPcfoxJq
                                                                                                                                                                                                                                                                  MD5:EC3597A661A7212BBCE927DCACF7B7D8
                                                                                                                                                                                                                                                                  SHA1:E262C1DA18D9F6B0D191FB28C48ACDD00DF7216F
                                                                                                                                                                                                                                                                  SHA-256:1B7E64EE8D5EB40372FDF23798C53CA440BE80A915C11946F44898C88D4B1ED9
                                                                                                                                                                                                                                                                  SHA-512:BAFFB96ACBF785A4A5C9EC89ADF729250EF227EC4DA7BC95380D17F4B65CCBF5E16E5B4484E09D12306ECEE8A2BFE4E0C0B11E1ED54EB758072069A6443A9AD1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-c..L._.L._.L._*>.^.L._L..^.L._n..^.L._*>.^.L._*>.^!L._*>.^.L._*>.^.L._.L._LO._...^.L._...^.L._...^oM._...^.L._..._.L._.L._.L._...^.L._Rich.L._........PE..L....>.g...............).....R....................@...........................,.....E.,...@.................................._!......."..............n+..(....)..f.. k..p....................k......`j..@............................................text............................... ..`.rdata..L...........................@..@.data.........!..l....!.............@....rsrc.........".......!.............@..@.reloc...f....)..h....).............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2463232
                                                                                                                                                                                                                                                                  Entropy (8bit):6.463963620672712
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:JEgt0a5NOfMBMjk21auC1nNNcWPnYHkRjrQwPgn1kHW9:JEI0a5iMBMjvQj9NNcWPn00jrQw4nSW9
                                                                                                                                                                                                                                                                  MD5:B014770C400FFF7EECF19AAEC0052DDB
                                                                                                                                                                                                                                                                  SHA1:8682AA38F2DE5A2ED636021B2D7A22847C2A66B1
                                                                                                                                                                                                                                                                  SHA-256:1CDBEE564E8EA0F786A9CE1718FCCD5B1A6AB4EC55E724A1814329B425BE7A59
                                                                                                                                                                                                                                                                  SHA-512:220D1D1378C39345DE155D0E9E4887949964A6981BC0F27E7EE941F69DDBAF6D42C83218D67AADF783F1A3ABABB3DCCC97517CDE32E2F6BC66BE33076E33C819
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?b..{...{...{...q..a...q..X...q.....q..z...q..V...{.......k...c...k...n...k.......0...m...0.3.z...{.[.z...0...z...Rich{...........PE..L....?.g...............).:...x.......r.......P....@...........................%......#&...@.................................p+..|.......h............n%..(....#.........p...............................@............P..$............................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data...P....p...X...R..............@....rsrc...h...........................@..@.reloc........#.. ...N#.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):142336
                                                                                                                                                                                                                                                                  Entropy (8bit):6.178708440903101
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:+IRS31UwelTwwoJChcq6UfS/Hqvo+h3YcD8DUsWjcd7LXQrd1ee4P4jaVq768hU7:+IvMg6MSq14bP6d1ee4P1Y6
                                                                                                                                                                                                                                                                  MD5:E0509D5EBA69BF050C5ACD952775DD10
                                                                                                                                                                                                                                                                  SHA1:089F98FD3A286E74A3F6067332FE26C9F93A6920
                                                                                                                                                                                                                                                                  SHA-256:4545D6E9D27B4E6693A1381AA9E0305CA887FBD4D742F7380FD5AF933F4F9233
                                                                                                                                                                                                                                                                  SHA-512:688395661EE7F071F96861DBF9A191B1E7DED991F77CA03BCDC339D78CDA6AB4913BA5181C681ABEA086F942030A6DA134A516204092F3FEA5E93F922077E2E0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...6...6...6^'86...6^';6...6^':6...6...6...6S.L6...6..&6...6..?6...6..<6...6..b6...6..96...6Rich...6........PE..L...q?.g...........!.....0...........^.......@...............................@............@......................... ...}...$...P.......x................(...........A..8...............................@............@..d............................text..../.......0.................. ..`.rdata...~...@.......4..............@..@.data..../..........................@....rsrc...x...........................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):94640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.423065206229182
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:iYqYiH1S4d7O6R/S4Ka2ogPgz8KT9Tvx2+wAZLvva24:dqYiV+2Su0wTvI+wwva24
                                                                                                                                                                                                                                                                  MD5:F6F00886EE605DECD561BD3465151BD5
                                                                                                                                                                                                                                                                  SHA1:2585353A6B42041244661D260CA7885E269A38C6
                                                                                                                                                                                                                                                                  SHA-256:126EE74EF2F420292FA5FFC120851D8B62854253568483FCE0DFA4B30F25E0E4
                                                                                                                                                                                                                                                                  SHA-512:A919E02F81520D285F769CF7E92EE25C85F2EB1949A29FFF022328E10937AA779477D6641F98EAE6720C0986B46240B7B3442693C4FBA0F70E0EA17E3517BB2C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h0...c...c...c...c...c...c...ca..c...c...c...c...c...c...c...c...c...c...c...c...c...c...c...cRich...c................PE..L...Tn.^...........!.........f.......T..............................................u.....@.........................p3..|...h+..P....p...............Z..................................................@...............\............................text............................... ..`.rdata...3.......4..................@..@.data....,...@.......(..............@....rsrc........p.......:..............@..@.reloc...............@..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4838912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.621698534821433
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:T08FkQJp2B2mIzIpvOd4+jJOj8yIFIvgxV5BczbkyCIHItFtSeVdToWOHW4T1ByL:Y8FkQJp2B2mIzIpvOd4+jJOj8yIFIvgH
                                                                                                                                                                                                                                                                  MD5:08A8BB063D74ACF7BBF4AFCBAEC830FA
                                                                                                                                                                                                                                                                  SHA1:D3C3C14DF9FCF818DDE3EA9B5F4EBCB29764AF3F
                                                                                                                                                                                                                                                                  SHA-256:09CB23A674253F947B7F640219C0A3A691FC01CC6F6EF81F9E04FD51E48E3809
                                                                                                                                                                                                                                                                  SHA-512:051A601DD491E3E8669869F0D603C83B7DB6DA60F811BA6EE621154F88A282FBB9D2B7928E140F2B9120F29347B86A1EE7CCC31E82873E62766ADEE56A418500
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$.......d... ... ... ...........!..?... .......%.,...O.^.!....!..(......."......."...).p.!......1......0...0c..!...0c..<...0c.6...0c.H.................!.......... ...q...).w.&...kb......kb..!... .c.!...kb..!...Rich ...................PE..L....=.g...............).@?...........:......`?...@...........................J......_J...@...................................D.......D...............I..(....H..<....B.p.....................B......GA.@............`?.....t.D.@....................text....7?......8?................. ..`.orpc...e....P?......<?............. ..`.rdata.......`?......D?.............@..@.data...le...@D..L... D.............@....rsrc.........D......lD.............@..@.reloc...<....H..>...pH.............@..B................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4838912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.621699077903857
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:o08FkQJp2B2mIzIpvOd4+jJOj8yIFIvgxV5BczbkyCIHItFtSeVdToWOHW4T1ByI:F8FkQJp2B2mIzIpvOd4+jJOj8yIFIvgc
                                                                                                                                                                                                                                                                  MD5:C90EB8119820503E069B73383DFDD082
                                                                                                                                                                                                                                                                  SHA1:0606E9671C588E080BFB2091E3552D3C3AAAF60B
                                                                                                                                                                                                                                                                  SHA-256:1B782134DE77581C4B8AB8825F41D0F3A5EC94F66CA4F96F5215AC34F95329A0
                                                                                                                                                                                                                                                                  SHA-512:826FFC7663579CA8F8AA71D9053A6FEE21ED1258FA0331ABF24AEEF4E68341A08ADC17872857D7383B81C3564AAE2E5797875131B6C65400B7CA1B45FAE98D12
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$.......d... ... ... ...........!..?... .......%.,...O.^.!....!..(......."......."...).p.!......1......0...0c..!...0c..<...0c.6...0c.H.................!.......... ...q...).w.&...kb......kb..!... .c.!...kb..!...Rich ...................PE..L....=.g...............).@?...........:......`?...@...........................J.....T.I...@...................................D.......D...............I..(....H..<....B.p.....................B......GA.@............`?.....t.D.@....................text....7?......8?................. ..`.orpc...e....P?......<?............. ..`.rdata.......`?......D?.............@..@.data...le...@D..L... D.............@....rsrc.........D......lD.............@..@.reloc...<....H..>...pH.............@..B................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1881600
                                                                                                                                                                                                                                                                  Entropy (8bit):6.693172838045771
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:KlUOwUJBatbEayw2w4vPUCNrZKF+s1r0eMqoyATecHVqxVY7Hvw7toEwLPr6:KGtRl4v9le6Te8qxVYjvw7toEwLPr6
                                                                                                                                                                                                                                                                  MD5:A011EA2D5C611606189C1015AB7C7A92
                                                                                                                                                                                                                                                                  SHA1:9B09C5A785E73AE8B6F17F7BAA5954F1C4054DCA
                                                                                                                                                                                                                                                                  SHA-256:C2220480C5A08046F4B00F79B8E9EAF2D4BDD1D9511A3378E65146F2758ADF50
                                                                                                                                                                                                                                                                  SHA-512:CEEAF3C04F3C0D3D2A0E48CF69C7B2BDE6C12AE8C1D91EB5C8D5E1C74D1CF73E44791648E38DBD4348F17A4CF9B18A669F6C7F9D155AB0DFE8E929A1A0B988D9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........b.........................s.......s.............$......$......$......$.............................=.........%..M...%...........%.....Rich...................PE..L....>.g...............).....V.......6............@.......................... ............@..............................................6...............(.......,...,..p....................-..........@...................T...@....................text............................... ..`.rdata...\.......^..................@..@.data...`........0..................@....rsrc....6.......8...*..............@..@.reloc...,.......,...b..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):330248
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7899102550791
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:4aXIREBEBRS1izV0CyJ8XytTl4jqNzmCPOIAOvQ10:kEhCyCOiqNxjRE0
                                                                                                                                                                                                                                                                  MD5:7C3B0175C350E6AEA7C5F4F331FB7457
                                                                                                                                                                                                                                                                  SHA1:46FE50380B66C64A98B08017DC0D8566D9B22847
                                                                                                                                                                                                                                                                  SHA-256:A83CDFC6ADDAC319E9CF2F950958DB790CA430F96D900B5205828EBE9B2829A8
                                                                                                                                                                                                                                                                  SHA-512:4B3972EB174AE834B39F34D51D19ACA9EACE14CACC54D0314DFBDE8B38C2A0514E81B5861BEE9CF8465313F6B98DB31B0C2D314B052CC8F5CDF58C7AF7E61AAC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..y..*..*..*.Vc*..*.Va*d.*.V`*..*...+2.*...+..*...+..*..r*..*...*..*..*F.**J.+..**J.+..**Jm*..*...*..**J.+..*Rich..*........PE..L...S..e...........!...%.V...................p............................... .......5....@.....................................(.......0A...............(...........}..p............................|..@............p...............................text...XU.......V.................. ..`.rdata..n....p... ...Z..............@..@.data................z..............@....rsrc...0A.......B..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):649008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.592395353162998
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:EevXOcMAzEExDWdMoe3BlkCwkupdTyu7XAgBn4Dy:9ecPzEExCaoeRqFkcTZjAgBnAy
                                                                                                                                                                                                                                                                  MD5:F8F5641394A455FDCC4E493ECCC7F012
                                                                                                                                                                                                                                                                  SHA1:02D12D3E6569EB3A669602AB12540DD509F7474C
                                                                                                                                                                                                                                                                  SHA-256:4B5051DDDB178BA71D1BFFF29D93693FC8DD73B3117A23E06BF6A3815CD7BA35
                                                                                                                                                                                                                                                                  SHA-512:BEC16EF02A11BC84A8B412B4D3F3142DC5532C88F8712C43FCF2397B4D0B6530D7DC7EBB512413C1E260711C0B5DBC454B8FE6E61886ED536953F8315C9EA74B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nR.*3..*3..*3..#K1..3..#K'..2..#K ..3..#K7.'3..*3..3..#K..)3..4a0.+3..#K5.+3..Rich*3..........................PE..L.....U..........................................@..........................@............@................................. 1..d.......................0.......pY..`................................................................................text............................... ..`.rdata...-..........................@..@.data....`...@...$...(..............@....rsrc................L..............@..@.reloc.."y.......z...T..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4642304
                                                                                                                                                                                                                                                                  Entropy (8bit):6.426691986717537
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:W27Bh5hx/f/OEGjZP+2IvLyUkkgauit1EfVqneLtMxYCvpwKqTXSWJls:X//ftkz4gauit1EfVqneLtMxYCvpwKq+
                                                                                                                                                                                                                                                                  MD5:5D6A9657FCA79D2EBEE063513C519183
                                                                                                                                                                                                                                                                  SHA1:968F25528CD4C674875ADFF3F6C4EE13C16386F4
                                                                                                                                                                                                                                                                  SHA-256:94B0C21E391E77F1D64D32D28DF0A46CE9B56A4AC6DB11D094B2259C75F5A7C6
                                                                                                                                                                                                                                                                  SHA-512:12F6D4D897136B115C6EE630DFC6A317CA8B47F2A080C93E2E1B30AF4B4673471B0DCE496DBA82CDA4DBFD26DC52EA65897EE24D3D0813CDBE0BA2DD6A13D0B0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........5..f..f..f...g..f..Hf..f.._f..f...g..f...g(..f...g..f...g...f..f..f.=&f..f.=.g..f.=.g..f.=.gU..f.<.gI..f.<$f..f.Lf..f.<.g..fRich..f................PE..L...A>.g...............).8 ...&..............P ...@..........................0G.......G...@.................................$o'.X.....(...............F..(...`D.@.....%.p.....................%.......%.@............P ..............................text....6 ......8 ................. ..`.rdata..Df...P ..h...< .............@..@.data.........'..n....'.............@....rsrc.........(.......(.............@..@.reloc..@....`D.......C.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.pem

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PEM certificate
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):5262
                                                                                                                                                                                                                                                                  Entropy (8bit):6.05232077920498
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:LrdBs5tNThpCwTWYOHS2zkoGwhav1x6s7xPe47Oq1JmIyztq43ZEDRS4bcrkpk7:Hg5tNTDCdRoothav1xd7Be6Ositq43yY
                                                                                                                                                                                                                                                                  MD5:A8B2B3D6C831F120CE624CFF48156558
                                                                                                                                                                                                                                                                  SHA1:202DB3BD86F48C2A8779D079716B8CC5363EDECE
                                                                                                                                                                                                                                                                  SHA-256:33FE8889070B91C3C2E234DB8494FCC174ECC69CFFF3D0BC4F6A59B39C500484
                                                                                                                                                                                                                                                                  SHA-512:3B1FC8910B462EA2E3080418428795CA63075163E1E42A7136FA688AA2E130F5D3088AB27D18395C8C0A4D76BDC5ED95356255B8C29D49116E4743D269C97BF9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:-----BEGIN CERTIFICATE-----..MIIFVDCCAzygAwIBAgIBADANBgkqhkiG9w0BAQsFADAuMQswCQYDVQQGEwJVSzEf..MB0GA1UEAwwWU3BsYXNodG9wIEluYy4gU2VsZiBDQTAeFw0xNTA3MDYwMjQ2NTda..Fw0yNTA3MDMwMjQ2NTdaMC4xCzAJBgNVBAYTAlVLMR8wHQYDVQQDDBZTcGxhc2h0..b3AgSW5jLiBTZWxmIENBMIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA..wAXrbbT7bxfdfXv4WpeKYQwEj+O5IbELiqJUnjtSL8dhSLjunEnT08eNngGtUbKU..K9UYvokPo4w9dV7ZF2SIVNLLhGINgWfKGjFEOC2HMMxF6/Npjps8UdO3zozZtDET..4InDRAPDAQDuJX2le8sbmwcN6viuMPHQH/zM4VDg86txN/ueO+MHK4PR41dxNU6g..Mi1w4rntp1/alPtJi49CmxkonTzoWZsRz4QJAUJxEFmI4/2C9fKNEdiQUazHIXc1..55qeMTyaLna1ElRl1hpqvH4N7FChuXkG3ncEQRBZr41MCCX1l6PX1MGmbu6CRmEn..dzyu2fKQdnJ2nLzOzNRBuhEv/1Jm0Sij7b0QSberPSw0BqbVOZKY4b93ZRlqrkoD..K8LxS2/DtBvoeHxbF6UV6e4xHOpPDLlOLyfi27LYipTDN3Bt9yxUzcerLMu5KhZG..US8Alv80m+pnnsoSE6C4WN+/iDeRS2K8/BxY1TyFNAYRnC1sVaqwT/0AWHamKmXI..siGuKNMNSOB/pMx+qMFmvdYLMG/FHz6kBghyaqAaSOAcHzU6JJEOmy5PfyJ1VEVT..5ZeHGhwJ6FebFVAbpyTVRslokF6N2BXUuflN8N0Rp/8d5kr8ncHgd4boM16nl+T8..NMjiA0DkFktJHxnIKUEUH0nAIimvRt6+VTGIiXiPZbMCAQO

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2512896
                                                                                                                                                                                                                                                                  Entropy (8bit):6.4753020549085205
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:zWGSIw1LYgvpw8oP/CEKywAzkyDee1sPjfKgxqRPZBc1kHWFHgN:q3pK2pw8GsywSkyDee1sPjfZxqRPZBcY
                                                                                                                                                                                                                                                                  MD5:115400EB02B4BFDF711DA98ED3C4B02A
                                                                                                                                                                                                                                                                  SHA1:E65EC763B49370A84C236A244243FDA769F0EAF4
                                                                                                                                                                                                                                                                  SHA-256:A8628AA084EAB6054F1AB1C9CAC62EB3C7A0688E56F3A41C0C15758274F5C1F4
                                                                                                                                                                                                                                                                  SHA-512:272E1D5900B9443817B95F1F9D503B603B704A4ED64265E4D6A8E9F49684E505A1AEEAEE503885339AC7B2AAA4904C25898D8212799050440F36D2A215AAAAA1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........~..h-..h-..h-L.k,..h-L.l,..h-L.m,L.h-L.n,..h-L.i,..h-..i-..h-..k,..h-..l,..h-..m,..h-..a,..h-...-..h-...-..h-..j,..h-Rich..h-........PE..L...H>.g...............).............G............@...........................&.......&...@.....................................T.......`............0&..(....$......j..p....................k......0j..@............................................text............................... ..`.rdata..6........0..................@..@.data........0...\..................@....rsrc...`............v..............@..@.reloc........$.. ....$.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):984584
                                                                                                                                                                                                                                                                  Entropy (8bit):6.654713325570367
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:gD2kCn6swdgSq3nUm08oS2R58vpo8Gp7EPVHHG0wIRCpDHFS:kvBgSq3nUD/R58vpofp4PVHHG07RgA
                                                                                                                                                                                                                                                                  MD5:8A17CA74AFC4FFF3A0AC2262DDD260A1
                                                                                                                                                                                                                                                                  SHA1:AC598B0297BF3CDF231D67A47BE942DA5173093B
                                                                                                                                                                                                                                                                  SHA-256:6EFCE3CC622589CE8A7B65C700692FB8EF9B97D50CDC828F0FC7E872C52CEBA9
                                                                                                                                                                                                                                                                  SHA-512:A8608961EF6936CD2EBAA6026B4074066A06F1CE90806C648B31E38E979F7BEB0F93A6E7BE33365A595D7DF6236E454241424DBC95EAC50867F2C78F89620BE5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.....x...x...x.W.{...x.W.}.x..5|...x.W.|...x..3....x..3{...x..3|...x..3}.S.x.W.y...x...y..x.T2q.[.x.T2x...x.T2....x.......x.T2z...x.Rich..x.........PE..L....X.f...........!...).....&............... ...............................`......5.....@..........................6..T....6...........................(......T......p...................@.......@...@............ ..`............................text...h........................... ..`.rdata...)... ...*..................@..@.data....h...P.......0..............@....rsrc................L..............@..@.reloc..T............R..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):552448
                                                                                                                                                                                                                                                                  Entropy (8bit):5.865289433993901
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:UQoq4YYQtv77f8m8end5Xy+1kvI8k9W91iVXuXskIhllJX:Noq4ih8edk+1kv5K+WhllJX
                                                                                                                                                                                                                                                                  MD5:935C221078C93D03DFFA92C6DC4AE1E7
                                                                                                                                                                                                                                                                  SHA1:EC084512AA57B0E35E54043A54BD4124E2FEC9B3
                                                                                                                                                                                                                                                                  SHA-256:CC2994B317104D242EF0C4DB5CCB67674B6A7AE7880106EE904BB28F84983B2C
                                                                                                                                                                                                                                                                  SHA-512:CE85F7546C45AE8CB5A9274D68E98202FBBAE5BFCF219C37DC7397970D45913F34A8BDB5080F18391EA657B85E994002C3669944B56DD4201FF48DDA9A8F5752
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Q.|TQ.|TQ.|T...U[.|T..yU..|TA8.UG.|TA8xUE.|TA8yUa.|T..xUG.|T..}UJ.|TQ.}T..|T.9uUZ.|T.9.TP.|TQ..TP.|T.9~UP.|TRichQ.|T........................PE..L...t>.g...............).F...........=.......`....@..................................=....@.....................................P........[...........F...(...`..........p...........................P...@............`...............................text....E.......F.................. ..`.rdata...}...`...~...J..............@..@.data...............................@....rsrc....[.......\..................@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2790912
                                                                                                                                                                                                                                                                  Entropy (8bit):6.515198397435764
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:Qm+e4qYkb8w/90PctbJYS2WstU02XIdons6Ac4CCFUqTy1kHWiCTo5IeuV:Qhe4qHt/900dJYS2htUVYdons6Ac4CCy
                                                                                                                                                                                                                                                                  MD5:A8E93783D19D36C3F4FFB1DBFAE8D172
                                                                                                                                                                                                                                                                  SHA1:55467CBA43ED628BA84B2581C4E75FA88AAC360B
                                                                                                                                                                                                                                                                  SHA-256:DB8C9ADB0CA45A4237588FE56EC1C21475BDF8695E5FC372AF38FDDC996A86F0
                                                                                                                                                                                                                                                                  SHA-512:F8161E64FFF874E2C9CC3578CC1AE9720823AE36DD892BBA45F92DEF99E80518581D44A58E13448360B4CBACB2D7CE65ECBE3D99B8227B2DEFBA3461EF356B6B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........RA%.3/v.3/v.3/v<A,w.3/v.K.v.3/v<A+w.3/v<A*w=3/v<A)w.3/v<A.w.3/v.3.vR0/v..,w.3/v..+w.3/v..*w.2/v..&w.3/v...v.3/v.3.v.3/v..-w.3/vRich.3/v................PE..L...b>.g...............).B...p......S........`....@...........................*.....?.*...@..................................# ...... !..W...........n*..(....(..c...H..p....................I...... H..@............`...............................text...jA.......B.................. ..`.rdata..X....`.......F..............@..@.data...|....p ..f...L .............@....rsrc....W... !..X.... .............@..@.reloc...c....(..d....(.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):171008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.581229579230764
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:JwTKyDvUAHJyyOREv5n9s7jZuFKeV6O4u+9CI1B4hxV4pseK:UzmdRED6Zqj6puv2sP
                                                                                                                                                                                                                                                                  MD5:4DBE344527099F506D75079794DDB60E
                                                                                                                                                                                                                                                                  SHA1:310EC3DAFDD94A00BB21592F52B4B4329C3B13F2
                                                                                                                                                                                                                                                                  SHA-256:EEF291009D81DF627C18C11792FC19ED3ECEAC4533F05E1E493126AC7590DD5D
                                                                                                                                                                                                                                                                  SHA-512:29871C8FF4143EE4E047C68401B1CF3EA7B657FB00D7AF616B23F2C10FF486077EA3AD762AEC14F28ABCEC176B1FEFFC7F35979E5B1F87174D4438D88144F270
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Z...Z...Z.....P.......J...L...J...N...J...j.....L.....M...Z...........P.....g.[...Z...[.......[...RichZ...........................PE..L...g>.g...............).............C............@.................................i.....@..................................Q..P....................t...(......l... ;..p....................;......`:..@............................................text............................... ..`.rdata..V...........................@..@.data...$....`.......H..............@....rsrc................V..............@..@.reloc..l............\..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):202752
                                                                                                                                                                                                                                                                  Entropy (8bit):6.625509070433462
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:htEsN626n96kvoxj7gPPLyeEik8P0AP0OeJcMGdxVsxi0BgfQLQsx7dsddQ:htEsN7696tEvE3iZP0OI4QgfQE27dsI
                                                                                                                                                                                                                                                                  MD5:8C556148001796898D2B978DA836C27E
                                                                                                                                                                                                                                                                  SHA1:30310378F3ECC88C1B44846821FD6DCA4F4CBC9C
                                                                                                                                                                                                                                                                  SHA-256:B37622280DA30ED53B2B7F619F7CBDED9EA107E7D598689025D5C489CBCBB912
                                                                                                                                                                                                                                                                  SHA-512:B4AB380B98F2F71E9AA394448E934BD9566149EEA1D8DD4D3BC5EB87D5C9BE977B5F41D6F6EF823F21AD685649A6E4CA5AAC9561EEA99BBA45196565117DD87C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.To.To.T...Ue.T.O.Ux.T.O.U{.T.O.UX.T...Ux.T...U..T...Ut.To.TY.T$N.Ua.T$NdTn.To..Tn.T$N.Un.TRicho.T........................PE..L...l>.g...............)............n........ ....@..........................0......cN....@.............................................X................(..............p..............................@............ ...............................text............................... ..`.rdata...... ......................@..@.data...x...........................@....rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):333320
                                                                                                                                                                                                                                                                  Entropy (8bit):7.909775605022876
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:2lc/Jz+v9TViX69NAqxVKhFcuUa/w28bgSl1FcXirkmMDt:wcU9oe61hFPqgSzrkmMDt
                                                                                                                                                                                                                                                                  MD5:562D29B934BFB893AF36F03CBA478AE3
                                                                                                                                                                                                                                                                  SHA1:5AA2D1A95EE82DADB2EE604E503CEAF3FBFDDD6F
                                                                                                                                                                                                                                                                  SHA-256:ADEDDB37D54E44F84BE0F3824A5C2E98EDF831D6E16836C4CDF34FC47DA4BBF3
                                                                                                                                                                                                                                                                  SHA-512:0E85A3BC34D44815442DAAECF910AE02216B28891D785C2C85072FB2824E0AC4056A658C76522C4659F5275F975F291C8BC9217856F52EF1DB6778069FCF8A20
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......5...q...q...q.....c...........f...V...c...q...K...t..`......{.....p...wR..p...wR..c...wR..i...wR..$.....f...q...d....R..E....R..p....R..p...q.u.p....R..p...Richq...........................PE..L....d.f...........!...&..................................................................@.............................T.......@........................(.. ...............................................................\1......................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):337416
                                                                                                                                                                                                                                                                  Entropy (8bit):7.910033827099534
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:jlsrxoLbx49G3x2MB7oUR71gg/wl12GSHU2eQHx+0lnPmDfYfG:B0dwUQNTW12GoU2eQR+SPmbkG
                                                                                                                                                                                                                                                                  MD5:7A90EC5109E67E431CAF2FD55D41F82F
                                                                                                                                                                                                                                                                  SHA1:412F6A3E795502CD39F76FD51B138E06A081F146
                                                                                                                                                                                                                                                                  SHA-256:2FA77B33CCCE1B5412A9866ACB63B050F6F94485EF8AEC378BC82D02929A1001
                                                                                                                                                                                                                                                                  SHA-512:ACDBE23B0FA784EA5433A223AEA32CF1C86436F7C9F4E715A10B6A891B4D6B8CEAA943C26444B5813AFDB6C9C4DE6F43B81A632D74920373C0D802613DFD2ED0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........e.g...4...4...4.v.5...4.v.5m..4.v.5...4..4...4...4...4...4...4OZ.5...4.v.5...4..4...4..5...4..5...4..5...4.v.5...4...4...4...5...4...5...4..,4...4..D4...4...5...4Rich...4........PE..L....d.f...........!...&......... ..`....0... ...............................0.......7....@..........................(..X....&..@.... ...................(..$)..............................\.......|........................e......................UPX0..... ..............................UPX1.........0......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2584064
                                                                                                                                                                                                                                                                  Entropy (8bit):6.440913243183987
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:5PbCa9g5NKdDraFl0PGOfWHGyi2wmUKdbhPiqlI13PXuYpJnuUs9tOs:Ya90N/F6uOfWdi7KdbhPiqlI13PXu+JG
                                                                                                                                                                                                                                                                  MD5:EE90B98C4D5EB0D6BED3E7D17986CA3F
                                                                                                                                                                                                                                                                  SHA1:194CD829FAE134D99CE4D0A0ECF2A054FB1EDDF1
                                                                                                                                                                                                                                                                  SHA-256:3B8EE94B34CC2BB18CD5A92DC0E52CC3C807D46BC7F5B556BFE7C903351BB483
                                                                                                                                                                                                                                                                  SHA-512:31AE2A14FCDC4817A850331162FCE08E7200B8D78745F62C6875B51B521AD95834693DC95C8D81C5748BF91A5216C152D1143F62C04AA745F2FDF15594E05B5E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>F.._(._(._(.O-+._(.O-,._(.O--.F_(.O-.._(.O-)._(._).+\(..+._(..,._(..-..^(...!._(....._(._.._(...*._(.Rich._(.........................PE..L...e?.g...............)..........................@...........................'......'(...@..................................Z!......p"..............F'..(...p%..V...x..p....................y......0x..@...............4............................text...L........................... ..`.rdata..............................@..@.data.........!..j....!.............@....rsrc........p".......!.............@..@.reloc...V...p%..X....$.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):301568
                                                                                                                                                                                                                                                                  Entropy (8bit):6.684210285014497
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:bUU7mTVMCnY51BqHdwfxlu/FHouZykwgyDbsGUH:gU7mTVMCnY5ffuZykwgcgGUH
                                                                                                                                                                                                                                                                  MD5:3205FE6E61A40EF3C0B3C141754A3855
                                                                                                                                                                                                                                                                  SHA1:E9C7487763E943612613B318290832C288BA8D2C
                                                                                                                                                                                                                                                                  SHA-256:618B0F0ABD74B29C153814B55D3B4305927143A5E93688210427AC463824D438
                                                                                                                                                                                                                                                                  SHA-512:CCEDE3BEE9E1A9BC91226FCAAE6C81F35F6D13BF13B3704C04F123F3F397EAFE0BB09E34CA68729919DE74BCCE5BC3C0DC12A5960B2F0CB227CA6DD9A878C720
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..=y..ny..ny..n...os..n...o...n...om..nio.ok..nio.oi..nio.of..ny..np..n...oz..ny..n(..n2n.ox..n2n.ox..n2n.nx..ny.vnx..n2n.ox..nRichy..n........PE..L...m>.g...........!...)............h...............................................<G....@..........................J..$....L..<.......x............r...(......$"...8..p............................8..@...............h............................text...D........................... ..`.rdata..h...........................@..@.data.... ...`.......<..............@....rsrc...x............H..............@..@.reloc..$".......$...N..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):115208
                                                                                                                                                                                                                                                                  Entropy (8bit):7.877996118531337
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:Ojw9KC9FNiaL9tfuTjyUDJ90sFAmUPDo0hbn+F2LyvwFOs/cYb:b9KC9FNbwl9+D7o+XmIFOh4
                                                                                                                                                                                                                                                                  MD5:6B82A354476FA7C56175EE060F08E2C9
                                                                                                                                                                                                                                                                  SHA1:D77566D72C6F1C796C2E8087A9BD04920455B138
                                                                                                                                                                                                                                                                  SHA-256:754C8D6C7C91B7620A7EE34665C28F0BE67686591E5B49A7E9B8C33BAEF6C37E
                                                                                                                                                                                                                                                                  SHA-512:E5241DCF50B4D6003FCF1FE14F8693CDE525CDF020E7CF7557B76AC954102722C7721BDE48DAE08A4524A12E611AF950588ADBEEBC95158901BCA6238CE2FA51
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[...5S..5S..5SDn.S..5SDn.S..5SDn.S..5S..0R..5S..1R..5S..6R..5S..5S..5S...S..5S..4S..5SY.<R..5SY.5R..5SY..S..5S..S..5SY.7R..5SRich..5S................PE..L...w..e...........!................P*.......0...............................@......:g....@.........................<6..(....5.......0...................(..d7.......................................,..............................................UPX0....................................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):733704
                                                                                                                                                                                                                                                                  Entropy (8bit):7.921389042280339
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:SEjmVTsQGgZp4zjWURE9b9Sh73+axBJIsPqTVzVpW6jg6sQNGh+rIY2eV0Vt3Cz8:SEjmpsdgZwjWUREN9o91kV5pWmNGhM/q
                                                                                                                                                                                                                                                                  MD5:C0B530DCB39BFFA1B2A64DCB9DCE67CC
                                                                                                                                                                                                                                                                  SHA1:FC80610E9876B750B5C71CDBA679610320C3DF49
                                                                                                                                                                                                                                                                  SHA-256:A4103499C3584F3D2274E8D81B1355312D7CCF2CA794C746915ADA79C12F0D7D
                                                                                                                                                                                                                                                                  SHA-512:1326AD4B4EE3920E21449A0367E5912605AEAAF5C692A9042FEEBD2E4B789408DE605A7154D2DCD8A038358A98457312403C7AD550B3CDA64ED9D3E81E23459C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........u...........A.&....A.$.V..A.%....k.......|.....|.....|..........Oa.....lD..........\}....\}....\}(......@....\}....Rich...................PE..L...w..e...........!..............(..3...(...3...............................3.....b.....@...........................3.d.....3.x.....3..................(..x.3.......................................3.............................................UPX0......(.............................UPX1..........(.....................@....rsrc.........3.....................@......................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\STRLOG\splashtop.bl

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3835
                                                                                                                                                                                                                                                                  Entropy (8bit):4.764498295481361
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:y7IqsbCST8eInWhT2YB9tds0xNqu72V3VcaM/g7QSEvqcAzOt6zS:y7IuxeeS9VjiMl6e
                                                                                                                                                                                                                                                                  MD5:D949C968DFD291B7D69CD9A65A1CBC8A
                                                                                                                                                                                                                                                                  SHA1:9FD25344A4E35BE5F6FCC3CBD346D9230820016F
                                                                                                                                                                                                                                                                  SHA-256:D166064C6FFADBD505076B633E10D5536739C3E68E4B48F6A396FD8299666E56
                                                                                                                                                                                                                                                                  SHA-512:68C26A66AEE424CFEAF9A5BADFA2592DA91C5B1BE65B69C60879255936413215BDA05D5633F69C7AAD2688A53A586BB54E3AC722E2DCE3BFAC034C4C1C4594B4
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.svchost.exe..csrss.exe..SearchFilterHost.exe..SearchProtocolHost.exe..conhost.exe..winlogon.exe..SRServer.exe..SRService.exe..lsass.exe..services.exe..smss.exe..wininit.exe..lsm.exe..SSUService.exe..spoolsv.exe..SRFeature.exe..SearchIndexer.exe..WmiPrvSE.exe..mDNSResponder.exe..AppleMobileDeviceService.exe..nvvsvc.exe..DataProxy.exe..iPodService.exe..audiodg.exe..cmd.exe..spupnp.exe..WLIDSVC.EXE..WLIDSVCM.EXE..dllhost.exe..taskeng.exe..armsvc.exe..rundll32.exe..atieclxx.exe..atiesrxx.exe..ctfmon.exe..SeaPort.exe..nvxdsync.exe..MsMpEng.exe..nvSCPAPISvr.exe..wlanext.exe..LMS.exe..ccsvchst.exe..UNS.exe..mscorsvw.exe..msiexec.exe..iTunesHelper.exe..LSSrvc.exe..btwdins.exe..LogonUI.exe..TrustedInstaller.exe..avgwdsvc.exe..jusched.exe..unsecapp.exe..IAStorDataMgrSvc.exe..PnkBstrA.exe..AVGIDSAgent.exe..GoogleUpdate.exe..AvastSvc.exe..RTHDCPL.exe..sqlwriter.exe..IAANTmon.exe..avgcsrva.exe..mdm.exe..igfxsrvc.exe..Ati2evxx.exe..ZhuDongFangYu.exe..VSSVC.exe..wisptis.exe..hpqWmiEx.exe..avgcsrvx

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):326664
                                                                                                                                                                                                                                                                  Entropy (8bit):6.273611352763876
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:gpWGtJblMMuWntMAHeVQHe3lPpAyQ4L/8mJEDJnMihRD+ae7/lXCU:tGtJblMMuWntyxOyQ4LkIyxypCU
                                                                                                                                                                                                                                                                  MD5:D2A501F07C9F9373F11CC89FB2D49D8C
                                                                                                                                                                                                                                                                  SHA1:37EAADAF61D2CBE697F1C454640F9E04F4CD2D16
                                                                                                                                                                                                                                                                  SHA-256:A25A7C80A4BD007248306E02FBC10436885C64CC70A40433143BC82C641D3480
                                                                                                                                                                                                                                                                  SHA-512:B20727B34287D5877D94963B08F520E586C2A66A39631C768CF2F6ACA31959DFB2711C8043E71DA4FA8A00DF039E886D30B0D7DC2E85FEFC68E99761F3945B54
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..............].......j.......j.......j...............j.......j.......j...............j......Rich....................PE..d......e.........." ................<........................................@............@..........................................p..w....^....... ...........6.......(...0...... ...................................................(............................text...>~.......................... ..`.rdata..G...........................@..@.data....[.......&...f..............@....pdata...6.......8..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):263688
                                                                                                                                                                                                                                                                  Entropy (8bit):6.578168733069161
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:rP7UBxcJ1Puvfk+GTVGUtO9EU5dem+b0sInsLwcQRelNXkd6X0ThhYibRYI:DhmE+YQY4/eHw5ew8N0A2Xbh
                                                                                                                                                                                                                                                                  MD5:F276DD195D935138FA1EDA9C522CD62C
                                                                                                                                                                                                                                                                  SHA1:67508C991FAE8F6A503B7997D96CE4BB7AF559CA
                                                                                                                                                                                                                                                                  SHA-256:3E4FF68E9E2E312A9DDCD249F9BC2782103452E64CF6DF2914EF989006DD6EFA
                                                                                                                                                                                                                                                                  SHA-512:F3E2C301A7091D04F0D17BCDDC2BB0057366FE7089564966FE2EFD56ABD381190B01672DB6E6C7330E553382D38D7FEFDB644F1DF9F28B85714F52F695D812AE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.._(..(..(..../.)..!.,.2..!.:....!.*.3..(..!..!.=.t..!.+.)..!.-.)..(...)..!.(.)..Rich(..................PE..L...%..e...........!................+........................................@............@.............................w....~...........................(......X$...................................O..@............................................text............................... ..`.rdata..W~..........................@..@.data....K...........z..............@....rsrc...............................@..@.reloc...@.......B..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_provider.man

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4448
                                                                                                                                                                                                                                                                  Entropy (8bit):3.463053305093135
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:NZ9Y9R9iY+Al8/ky6V9R9iYsrAl8/k5v+sv:0bMAl8j6vbirAl8mv+y
                                                                                                                                                                                                                                                                  MD5:20D8473FB148C4ADA5878B313BC776AF
                                                                                                                                                                                                                                                                  SHA1:1C88D93AED07AF5753D5CADE1BBA2EC1A69C81A8
                                                                                                                                                                                                                                                                  SHA-256:FAFFFA0C014BF46A71E323FC4275A5A9004FF90B474B1B7A30D5728FA81D3568
                                                                                                                                                                                                                                                                  SHA-512:5E6AD6B5F040C927685FB4BF4A83149DCDDB22F8A1BD5ECFF5B6E69ECAB80FA7DDAACFA4FA7EB35D9723F4CF364B96D61482FA805F5B6595AEDF064C3C099C2B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t..... . . . .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.w.i.n.=.".h.t.t.p.:././.m.a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.".>..... . .<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>..... . . . .<.e.v.e.n.t.s.>......... . . . . . .<.p.r.o.v.i.d.e.r..... . . . . . . . . . .s.y.m.b.o.l.=.".P.r.o.v.i.d.e.r._.S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r._.S.t.a.t.u.s."..... . . . . . . . . . .n.a.m.e.=.".S.p.l.a.s.h.t.o.p.-.S.p.l.a.s.h.t.o.p. .S.t.r.e.a.m.e.r.-.S.t.a.t.u.s."..... . . . . . . . . . .m.e.s.s.a.g.e.=.".$.(.s.t.r.i.n.g...P.r.o.v.i.d.e.r...S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r._.S.t.a.t.u.s.)."..... . . . . . . . . . .g.u.i.d.=.".{.6.6.

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):28160
                                                                                                                                                                                                                                                                  Entropy (8bit):3.7217591844595956
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:/xr44ok0H+Re/1EPaTHV8GzXlGmYOom+rt12xROVSjfCKm/kIKz0+rIOsJ:/24ok0H+Re/1EPaiI1Y4O6Sv+q
                                                                                                                                                                                                                                                                  MD5:29F288F751FBCEA5CD75EA9774882787
                                                                                                                                                                                                                                                                  SHA1:5A4C30382C63E29E848B681D39CC213C2198E12E
                                                                                                                                                                                                                                                                  SHA-256:711702EB24803788CE601996F90B7EF57EEF1F764F7AAF3A96E2196ED4A9533E
                                                                                                                                                                                                                                                                  SHA-512:B7FC0A739B33E79232EF506393CF90297F4D41F165F34B5BE50648D8A1967419E1F0EE369E809D5C142898824E8B5A3784106D33A2D1D72CD811D5352F4BBD60
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.<...R...R...R.......R...P...R.Rich..R.PE..d....._.........." .........l............................................................`.......................................................... ...h...........................................................................................................rdata..p...........................@..@.rsrc....h... ...j..................@..@......_........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....!...g...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):28160
                                                                                                                                                                                                                                                                  Entropy (8bit):3.7214568392805565
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:xXxr44ok0H+Re/1EPaTHV8GzXlGmYOom+rt12xROVSjfCKm/kIKz0+rIOsJ:xX24ok0H+Re/1EPaiI1Y4O6Sv+q
                                                                                                                                                                                                                                                                  MD5:BE32CA6CD3810D278DC07C2D67FA5A44
                                                                                                                                                                                                                                                                  SHA1:63C47D24563F3E19BADE1482BA91D57542736C6C
                                                                                                                                                                                                                                                                  SHA-256:2F28F5D4952FD4430568AFCCE023C4885B47BF7C705950B252555C7D92EEFB72
                                                                                                                                                                                                                                                                  SHA-512:C21FF9E2116F0C469642C47B85E6D36970344F6C929B018DB6BED88FEFB54AA9C82EDDA1F9123F1B493E9046DE2B46C44C62900967752110EA056B54CEB56E85
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.<...R...R...R.......R...P...R.Rich..R.................PE..L....._...........!.........l............................................................@.......................................... ...h...........................................................................................................rdata..p...........................@..@.rsrc....h... ...j..................@..@......_........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....!...g...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1458184
                                                                                                                                                                                                                                                                  Entropy (8bit):6.608368260050606
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:3u1d1TlM6S5+KpPH2+68gJ4dxM3GsFa8cihBUbo0h3yT26:3ub1T2B/+J4jMWsFa8cJbo0h3x6
                                                                                                                                                                                                                                                                  MD5:86FB762B6F48E0F579D8E1C20D829E5C
                                                                                                                                                                                                                                                                  SHA1:35643C93BAF6F1A0DC2607C2F65D339DD149FE71
                                                                                                                                                                                                                                                                  SHA-256:1837087E75DE428C18ACEC7F2EF7576752396A3A1EF15450230734E9EE194B28
                                                                                                                                                                                                                                                                  SHA-512:A0A53F0C256DD1ED0FA512E11A4AB936BD829B22E37C422194144CF022192B2C7157A4220BAD2ABF45CA6FF44FA3E954BE57147E57CB869D1E53399F5895FB13
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ..N...N...N...N...N.....N......N......N....~.N......N...O...N....9.N......N......N......N.Rich..N.................PE..L......e............................Ku.......0....@.................................(.....@..............................................................(...........5..............................pb..@............0..............................text............................... ..`.rdata..@....0......................@..@.data... ........j..................@....rsrc................&..............@..@.reloc..F,..........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1721576
                                                                                                                                                                                                                                                                  Entropy (8bit):7.978334410477683
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:oU4MsColC6Je/ZgY7OOfcEpiRLH87SyVXGe38uKUj+NFVov1PJLfVKZ8F5mEeZWF:BFCsfZRZA6Xn388avVovfLd+Mo4iEF
                                                                                                                                                                                                                                                                  MD5:4DA5DA193E0E4F86F6F8FD43EF25329A
                                                                                                                                                                                                                                                                  SHA1:68A44D37FF535A2C454F2440E1429833A1C6D810
                                                                                                                                                                                                                                                                  SHA-256:18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
                                                                                                                                                                                                                                                                  SHA-512:B3D73ED5E45D6F2908B2F3086390DD28C1631E298756CEE9BDF26B185F0B77D1B8C03AD55E0495DBA982C5BED4A03337B130C76F7112F3E19821127D2CF36853
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.v...%...%...%.m+%...%.m:%...%...% ..%.m-%...%.m=%...%.m,%...%.m7%...%...%...%.m*%...%.m/%...%Rich...%........................PE..d.....[J.........." .........0............................................................@.........................................`................p..l!...`..,....,...............................................................................................text...L........................... ..`.data....J..........................@....pdata..,....`......................@..@.rsrc...l!...p..."..................@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15072
                                                                                                                                                                                                                                                                  Entropy (8bit):5.857603927715577
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:yJaZmN9l0HNbsphoCqpQATeZjMcnYe+PjPGr9ZCApkT1rrZgjlerpLF+vctrie:kaZM0HlGOpQMejxnYPL/p1P6jeL3b
                                                                                                                                                                                                                                                                  MD5:3CDAE3B3A3AE968DB4756613EEFF3680
                                                                                                                                                                                                                                                                  SHA1:FF474C2D8A83BD5AF0A6B6CA954004D86BCF6FCA
                                                                                                                                                                                                                                                                  SHA-256:8DC9051BC452639550EC4F956F1DBBAC2D2A1886868C17743A3E4BE22297E166
                                                                                                                                                                                                                                                                  SHA-512:50E01496A3F891AC4BB455092427A4549406EAED44A292D415B8B42DF5FF72D1352EA6FCC66B2A11151AB9AE6590158753CC28E78F2DAC7FEBD5F6B8B4908126
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'N.OF .OF .OF .OF!.JF .F>..JF .F>..LF .F>..KF .F>..NF .F>..NF .F>..NF .RichOF .........................PE..d.....#Q.........."..................a......................................................................................................<a..<....p..x....@..l...................@ ............................................... ..8............................text............................... ..h.rdata....... ......................@..H.data........0......................@....pdata..l....@......................@..HPAGE.........P...................... ..`INIT....*....`...................... ....rsrc...x....p......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):21216
                                                                                                                                                                                                                                                                  Entropy (8bit):6.105547248727277
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Zfhpq1BKeL/JQyyo0Y0HgWjkRtPzjn4nYPL/p1P6jeL3fq4:hhpq1BK8/JMYChMxXn4umiP
                                                                                                                                                                                                                                                                  MD5:A10A6FC3F643F82777345ADDC182799A
                                                                                                                                                                                                                                                                  SHA1:015BDFF614CD475C119C9CDC25950E8226930584
                                                                                                                                                                                                                                                                  SHA-256:8D09A7643A0095A0077710423E7D8D7134F9197B6F73DA427333790BA3774A61
                                                                                                                                                                                                                                                                  SHA-512:5D2D6FDCCB9A99F95467E734AC83C77162D5D4509248A4BFDCE493BDD9D140220416095E0F75DDAB50071850FC0892CED2835336D1C42F4A3AC87F0D66C41ED8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'F.SF(.SF(.SF(.Z>..PF(.SF).AF(.Z>..VF(.Z>..PF(.Z>..PF(.Z>..RF(.Z>..RF(.Z>..RF(.RichSF(.........PE..d.....#Q.........."..........&..............................................................................................................`...<.......@....`.. ....6...............0...............................................0...............................text............................... ..h.rdata..L....0......................@..H.data........@......................@....pdata.. ....`.......$..............@..HPAGE....x....p.......&.............. ..`INIT.................*.............. ....rsrc...@...........................@..B.reloc..<............4..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1461992
                                                                                                                                                                                                                                                                  Entropy (8bit):7.976326629681077
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:GjG90oN2lj11mk/22yYzGrarZRm4X5Uh6rVh5LdfBwOyCSQM1fFhSWRA2+:iGtN2h1120R7m4XShYVxfBwrC21fXSz
                                                                                                                                                                                                                                                                  MD5:A9970042BE512C7981B36E689C5F3F9F
                                                                                                                                                                                                                                                                  SHA1:B0BA0DE22ADE0EE5324EAA82E179F41D2C67B63E
                                                                                                                                                                                                                                                                  SHA-256:7A6BF1F950684381205C717A51AF2D9C81B203CB1F3DB0006A4602E2DF675C77
                                                                                                                                                                                                                                                                  SHA-512:8377049F0AAEF7FFCB86D40E22CE8AA16E24CAD78DA1FB9B24EDFBC7561E3D4FD220D19414FA06964692C54E5CBC47EC87B1F3E2E63440C6986CB985A65CE27D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.B...B...B...Kd1.E...B.......Kd7.Q...Kd .M...Kd6.C...Kd'.....e...C...Kd0.C...Kd5.C...RichB...........PE..L.....[J...........!.........N......C................................................S....@..........................................P...<...........6..................................................@............................................text............................... ..`.data....G..........................@....rsrc....<...P...>..................@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):13024
                                                                                                                                                                                                                                                                  Entropy (8bit):5.821753253165571
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:hjJQAzeZjMpnYe+PjPGr9ZCApkT1rrZgjlerpLF+vctrMYPT:RJQUejknYPL/p1P6jeL32Y7
                                                                                                                                                                                                                                                                  MD5:C57099F9A63D144A9CDC103D2C42A6AC
                                                                                                                                                                                                                                                                  SHA1:F2AA1DBAC145BDA82DEDB69CA969EF4D0831C3DD
                                                                                                                                                                                                                                                                  SHA-256:D8390287A8865769BB50B0B83E7E7FC56B055BFC48D3513146CDB8D3954338BE
                                                                                                                                                                                                                                                                  SHA-512:18AB1AB0D233AEAAB786A28AEF766AAD9C683859628AEE94527C426DE7F63171345CAB4ECF96C54F19C93DF5E637A4D845C2487049DE161E19229F6253C775E4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................................................Rich............................PE..L.....#Q.............................P....... ......................................r........................................P..<....`..x....................p..8... ............................................... .. ............................text............................... ..h.rdata....... ......................@..H.data........0......................@...PAGE....#....@...................... ..`INIT.........P...................... ....rsrc...x....`......................@..B.reloc..j....p......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\install_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):224
                                                                                                                                                                                                                                                                  Entropy (8bit):4.711399671949434
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajs/dCiIc+JIIbdCiIevKIIlfRcGIIbdELVKT7:kidCicjdCiMt/jdx7
                                                                                                                                                                                                                                                                  MD5:001B12FA9D827E2A53675F4FFC5D68D8
                                                                                                                                                                                                                                                                  SHA1:0D1221A35F3FEF1B8B0B38E835BFB8F35357D3AB
                                                                                                                                                                                                                                                                  SHA-256:2C6E538B58C32DFFC7E3ED85175A2F5D08C5AA3FA68EE05207DB6A015D778DD1
                                                                                                                                                                                                                                                                  SHA-512:E85BAD69B1F36D36B96A03713B885FDDC485E7DA5A5FA4B07F5AFD7264BC9989F4AEA14822588F3921EFF4C6C5E7D2737CD382866A089DA8F4A19CAF69BC3FF3
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe /r remove @HID\sthid* >> inst.log..utils\devcon.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd.exe /u sthid.inf >> inst.log..utils\devcon.exe install sthid.inf HID\sthid >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\install_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):232
                                                                                                                                                                                                                                                                  Entropy (8bit):4.799817305367961
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:/Ajs/dRLPIc+JIIbdRLPIevKIIlBRcGIIbdRL6VKT7:kiddcjddMr/jdD7
                                                                                                                                                                                                                                                                  MD5:4D969376976863ABA27CCF817EB97219
                                                                                                                                                                                                                                                                  SHA1:F65EA3234AFC4741F48AF51EE83280520969BF5A
                                                                                                                                                                                                                                                                  SHA-256:C62D9158C0807D0EE3225E13BAD307199AF61DF1659ADCA91E1361865C325EEE
                                                                                                                                                                                                                                                                  SHA-512:88F38ED5AD7FECDE209782D1111C142BE63AE54D73A71E737BEBC0FB1498D7988AC9EC0173DEF5F6E0A17192A5F802145E69BFDA606B253AFBFE23B5058A7413
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove @HID\sthid* >> inst.log..utils\devcon64.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd64.exe /u sthid.inf >> inst.log..utils\devcon64.exe install sthid.inf HID\sthid >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.cat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11968
                                                                                                                                                                                                                                                                  Entropy (8bit):7.0656302139179195
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:5eMsGsZrVjbd/22z0yK2zFWQFyGZh4qnajA3vKkCTglckNVa:HsGsZr5pRpFRj0lo3CXkNk
                                                                                                                                                                                                                                                                  MD5:50BD9CFE7F724B3001FC833FF3FC284D
                                                                                                                                                                                                                                                                  SHA1:5A2D4C52C87170AFAE9F3F4DC75A81A046FF3EEB
                                                                                                                                                                                                                                                                  SHA-256:C7AE67C9A0669F2798ECA4452552F8F4919E2FB6D117ED290AC3F64966ECEEE0
                                                                                                                                                                                                                                                                  SHA-512:52CC8930BAC7CBE7AF9C2B64D8A3BCF874D76DDFA21691B3B47E4B5BE938BF42D1D0BF0B6BFA3EEEC61D81328B41FB608AC8DA5F278BF06C1AB294B0055FB3FF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0.....*.H..........0......1.0...`.H.e......0..X..+.....7.....I0..E0...+.....7......C....G.|J].q.z..130223030803Z0...+.....7.....0...0.....c.....I..x.....c...1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0.... . q&H.Hv4;.s....N....uB^...@_.%1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... . q&H.Hv4;.s....N....uB^...@_.%0.....o..5....,.SV..\....1~0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...06..+.....7...1(0&...F.i.l.e........s.t.h.i.d...i.n.f...0.... (..~......&vHk_..4U..:.Tu="|:H.1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...06..+.....7...1(0&...F.i.l.e........s.t.h.i.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... (..~......&

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.inf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4350
                                                                                                                                                                                                                                                                  Entropy (8bit):5.269640657392187
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:BmLnkrr4fzkQCmlCDHCMmDtu6KgbNHYFMDO:BmLny0fzkklCmBtu4NHBDO
                                                                                                                                                                                                                                                                  MD5:6580EDB5B8713F3BFD3DF983758A4EA3
                                                                                                                                                                                                                                                                  SHA1:1E6FC7E435A3C3E20E2CFF5356DED95CF0C7D0EB
                                                                                                                                                                                                                                                                  SHA-256:815FBD6C3BFAE5EA77ED77480FAAC1AFAE946D4BF109B95480C60030A83AE1B1
                                                                                                                                                                                                                                                                  SHA-512:EA332A77DBDCC2184B2154EF496DAE4C663075447EC4ACF61E83A5AAACCF702E2F0E0F6D7F91E4499993A9B9D7C3A9A21C495EEAD606E2F5EB5F4DF272A86928
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[Version]..Signature="$CHICAGO$"..Class=HIDClass..ClassGuid={745a17a0-74d3-11d0-b6fe-00a0c90f57da}..Provider=%splashtop%..DriverVer=02/18/2013,1.0.0.5..CatalogFile=sthid.cat....[SourceDisksFiles]..sthid.sys = 99..hidkmdf.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,\64bits....[DestinationDirs]..CopyFunctionDriver = 12 ....[Manufacturer]..%splashtop%=Vendor, NTx86, NTx86.6.1, NTAMD64, NTAMD64.6.1....; For XP and later..[Vendor.NTx86]..%splashtop.DeviceDesc% = sthid.Inst, HID\StHid....[Vendor.NTAMD64]..%splashtop.DeviceDesc% = sthid.Inst, HID\StHid....; For Win7 and later so that we can use inbox HID-KMDF mapper..[Vendor.NTx86.6.1]..%splashtop.DeviceDesc% = sthid.Inst.Win7, HID\StHid....[Vendor.NTAMD64.6.1]..%splashtop.DeviceDesc% = sthid.Inst.Win7, HID\StHid....;===============================================================..; sthid for XP thru Vista..;===========================================================

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18144
                                                                                                                                                                                                                                                                  Entropy (8bit):6.199619066707982
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:D+CpJmsGTJgbzPvaen0XUqcZzpV1DzjBnYPL/p1P6jeL3CX:B85e4+zpbXBumPX
                                                                                                                                                                                                                                                                  MD5:5904635A7888083EBB86C3A1218CB59B
                                                                                                                                                                                                                                                                  SHA1:69540333726CEF1EABD5B75D56822B36F9065840
                                                                                                                                                                                                                                                                  SHA-256:00648146272AF74EF5B1E74E83F58280FA1CC403621941AB3CB4E731756289F7
                                                                                                                                                                                                                                                                  SHA-512:56B936EFBD05D0906577754334D9B1A562AE0AD25574E22149C6BD97950FD73809A4EF1542D4D7CAA4E5B81DF53975FDB1D57381232F9B8D17A463F1E1A81859
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q...Q...Q...X...R...Q...D...X...V...X...S...X...P...X...P...RichQ...........PE..L.....#Q............................v........ ..............................................................................<P..P....`..@............*.......p..t...` ............................................... ..`............................text... ........................... ..h.rdata....... ......................@..H.data...`....0......................@...PAGE....t....@...................... ..`INIT.........P...................... ....rsrc...@....`....... ..............@..B.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):164
                                                                                                                                                                                                                                                                  Entropy (8bit):4.75247427731045
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:jTDVBF+jVy/d/KiIKTAFshseJDo7EIbd/KiIKTA8vXto7EIl2YR41NDoC:/Ajs/dCiIc+JIIbdCiIevKIIlfRcGC
                                                                                                                                                                                                                                                                  MD5:6E5A084690CBEDCB4F74C1C365F2048E
                                                                                                                                                                                                                                                                  SHA1:379AF77A9066EE1EFEA1C17A21CF1C0AD7BF17FD
                                                                                                                                                                                                                                                                  SHA-256:F67BFB651037E84F5AE6965B5511FA1B9BD2C819B034A8284462AF01C0E0148F
                                                                                                                                                                                                                                                                  SHA-512:1ED233EF2BB513DCB9F3610AC36BBEB07259EAC7BA6F96E596B111C137F6B1BB35E1200ECAB3914925C6CCB80CD3A74ACEB40FA3775300151D34C7AB9C47A84F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe /r remove @HID\sthid* >> inst.log..utils\devcon.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd.exe /u sthid.inf >> inst.log

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver64.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):172
                                                                                                                                                                                                                                                                  Entropy (8bit):4.845091480099467
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:jTDVBF+jVy/dRLX/IKTAFshseJDo7EIbdRLX/IKTA8vXto7EIl3xR41NDo7n:/Ajs/dRLPIc+JIIbdRLPIevKIIlBRcG7
                                                                                                                                                                                                                                                                  MD5:C949FE57CE36D8C5FF18AD66A5C83138
                                                                                                                                                                                                                                                                  SHA1:BE891CE4AF8434FB3A439F7F0CB9EC3E17BDB99A
                                                                                                                                                                                                                                                                  SHA-256:8A5E292037FFC57F78E8C8D8AE945C319A41FABEB2112099BA3FFD9D08D4C1AA
                                                                                                                                                                                                                                                                  SHA-512:5F22FB7C586852EF5EDB8A28250B4BAA2194FE7599E1EF0733554E512ADCC7326D625F67CACD21C06A3B9A8B43AAF7B8E23D1C529FCC1B36D3E983AF5384FC4B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove @HID\sthid* >> inst.log..utils\devcon64.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd64.exe /u sthid.inf >> inst.log..

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                                                                                                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                                                                                                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                                                                                                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                                                                                                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):10752
                                                                                                                                                                                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                                                                                                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                                                                                                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                                                                                                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                                                                                                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidNotSupport.reg

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows Registry little-endian text (Win2K or above)
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):288
                                                                                                                                                                                                                                                                  Entropy (8bit):3.654691319611147
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:Qyk+SkWCiiCRroZ6IJlUAG+DZeMV4GGMVQIwchhyR12qv:Qy5hVZteAxDZBuGp/hUp
                                                                                                                                                                                                                                                                  MD5:AFB11B8A638A36856B635F9805BEC627
                                                                                                                                                                                                                                                                  SHA1:29E88479691D922698D1DAEC3F06EFD438CB90F1
                                                                                                                                                                                                                                                                  SHA-256:908EF8C0EEE73EFFAE7CA6AAEF29387302B1D69AEBE5EA587DEE7F1589F418D6
                                                                                                                                                                                                                                                                  SHA-512:1C929F635DF273BF7843A433C461761374E3CE8B2A41C479E2AA9B6A27F4CEF5CE78BAE8902EE99673E33E9E165333A1A4C09D8503F259809F282E6B4A15EBA9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.S.p.l.a.s.h.t.o.p. .I.n.c...\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r.].....".S.t.H.i.d.S.u.p.p.o.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.0.........

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidSupport.reg

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Windows Registry little-endian text (Win2K or above)
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):288
                                                                                                                                                                                                                                                                  Entropy (8bit):3.6709758888329973
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:Qyk+SkWCiiCRroZ6IJlUAG+DZeMV4GGMVQIwchhyR12q8:Qy5hVZteAxDZBuGp/hU2
                                                                                                                                                                                                                                                                  MD5:4F4EC6847BC91FCFAC8BFE7840649CCE
                                                                                                                                                                                                                                                                  SHA1:642FB6860473391D28E1DC407A81B3829D048AFC
                                                                                                                                                                                                                                                                  SHA-256:CC4837A65AE43EDF3AA3FD2C77912A881694C43EE203A127CE27641455AC7AD3
                                                                                                                                                                                                                                                                  SHA-512:C896A60395237BED708C79CDBFF2FE9685E8B42A140EF96C2352559128B7700DFF8CA7267261A9EB5143583F296D0498C811E092516408B5500CC75DA8409C44
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.S.p.l.a.s.h.t.o.p. .I.n.c...\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r.].....".S.t.H.i.d.S.u.p.p.o.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.........

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):77824
                                                                                                                                                                                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                                                                                                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                                                                                                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                                                                                                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                                                                                                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                                                                                                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                                                                                                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                                                                                                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                                                                                                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):207872
                                                                                                                                                                                                                                                                  Entropy (8bit):6.37796848857206
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:7GvbxQUBBNCDNRKmW5yI0q4WpEpdXbTtSpA4bNzNm0piB:UzCDNMCq4qp7bNzNm0pE
                                                                                                                                                                                                                                                                  MD5:0FCEB59B7E6FF46D27B896748593B5F4
                                                                                                                                                                                                                                                                  SHA1:5F92608A664FB069B781F3C51AC10C5ECCC89817
                                                                                                                                                                                                                                                                  SHA-256:F95D664CFB6A96172C733957A7164F7C89D29A09557154DA6745510B364CA5D8
                                                                                                                                                                                                                                                                  SHA-512:EBF7D13B0BCC97ECFA92299894165E7CF435D89EE90F553DA0B4B1DA5F764C6339102BB92DF63AE1EB23903F8D147AAB919F536B0873DF9E7C7D6BE482AAC7F1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................~......~.......?................../....}.....}.....}.....~......~.............|......|C.....+.....|.....Rich............PE..L...p>.g...............).....t....................@..........................@............@..........................................P..p................(... ..|.......p...............................@............................................text...Z........................... ..`.rdata...{.......|..................@..@.data...H....0......................@....rsrc...p....P.......&..............@..@.reloc..|.... ......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):198608
                                                                                                                                                                                                                                                                  Entropy (8bit):6.465406905232138
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:mNvlfI7fn3+ksrtRYs5BZdHEsTznNZQtiF22W9bKReKn:+fMnuhrrYszTjTQtiF22WKl
                                                                                                                                                                                                                                                                  MD5:B51CB7BD99774F42D4FCD81522E159DA
                                                                                                                                                                                                                                                                  SHA1:815646C93E09F0DB23951F3D8CD7319240CDBD43
                                                                                                                                                                                                                                                                  SHA-256:55C8BEEBC29238A691AF1FDF44D922BDAC9B47034956311A9D467374049462C2
                                                                                                                                                                                                                                                                  SHA-512:3375489BC03A442775FB02C5AB1D264FF2A972A805179B9F860D1FF26F09E529DCF7D03EA18CF3D56FC1DD429423C344CBFC4B89F20158D84896AA257240796A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.............+......(......-......).......`...p_....>......?.5....?.,....?./....?.*....Rich...........PE..L......R...........!......... ......!........................................0......m8....@.........................pa..o9..8R..P................................"......8...............................@...............h............................text...F........................... ..`.rdata.............................@..@.data....8.......4..................@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):561584
                                                                                                                                                                                                                                                                  Entropy (8bit):6.5335413043485335
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:n+Uac7b2syTCmCZ9z7I6KxOYDkHlTiO+k86hiCivi:+UacGbC7bYgHlTi6eo
                                                                                                                                                                                                                                                                  MD5:A9A9D31764B50858A01B1FB228406F06
                                                                                                                                                                                                                                                                  SHA1:7A313C46F049287045992F54F9D6EDA9DB568EF8
                                                                                                                                                                                                                                                                  SHA-256:C0BABD7670124BB298D3BA6A8EE5AE33AD1030C08A18D8B8861F5D83003EB645
                                                                                                                                                                                                                                                                  SHA-512:164D5497AA91A5B4742A291F589400BC0B189AF946615A2F04E6CFD1ED598A542F7521E4DD79AAB99414846A3C391255309F911C247EF446A0483D9FAB6EFDFC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................h......._(`........................................V....V......V......Rich....................PE..L...9..X.........."!.....X...h......-T.......p......................................}/....@.............................`6...D..P....................z..................................................@............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data...TT...P.......<..............@....gfids...............H..............@..@.reloc...........0...J..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):11479560
                                                                                                                                                                                                                                                                  Entropy (8bit):6.352121129517374
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:QFLqnywIMoJDvZ4drfgYOfyg74bvnFCw4UnH:QFLqywhoJDadbk6HFUUH
                                                                                                                                                                                                                                                                  MD5:2EA6D3B8DEF550387EF986976A2C7302
                                                                                                                                                                                                                                                                  SHA1:7A0471A88819941FAA90C017593DE695FFE2CEB1
                                                                                                                                                                                                                                                                  SHA-256:D024B79B5B6DF6AC65A10A3E3D88266D4FBA17F5E1CDB9F9A4C0E276499741B9
                                                                                                                                                                                                                                                                  SHA-512:545BD9203B3A1D762C29755DA4021565C85DFF12A49992BE98A17BB9A6C342CAD955A5CF1C4D572B654BE70CDC40F12B0C6BEE221ED23CB31EE311670EEE12E6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.f.................4...........R... ...`....@.. .......................`...........`..................................Q..L....`..w................(...@......0R..............................................(R............... ..H............text....2... ...4.................. ..`.rsrc...w....`.......6..............@..@.reloc.......@......................@..B................H.........[.*lQ..........(..c3.\.(......................................0<.I.......s.u.....}.'....}.'..s.u...(....~u.....(....:.....(....&.......%.......(@....(a...(....(.....(....}.'..(.....r...p(:...~.'..%:....&~.'.....u..s....%..'..oT.....o...+}.'...o...+...s....}.'...{.'..o....9#....(....:.....{.'...o.....{.'...o......{.'....{.'......u..s....(.....{.'..o....95....{.'..o....9%....{.'..o....:.....{.'..oB...:....(.....{.'..o|...o....9$...r...p.y..........%.......(@....(a....{.'..oH

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1077592
                                                                                                                                                                                                                                                                  Entropy (8bit):6.435239338734592
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:n7PeeMxAg8KA6EhyC/H488sCGF8MBo9Bi8sROlu4VWKl6sEPdf8/2RYv:cxNEhyC/H488sLqMDIlu4Nl6suK2Re
                                                                                                                                                                                                                                                                  MD5:EEDA10135EDE6EDB5C85DF3BD878E557
                                                                                                                                                                                                                                                                  SHA1:8A1059DFD641269945E7A2710B684881BB63E8D2
                                                                                                                                                                                                                                                                  SHA-256:4B890DE3708716D81C1C719B498734339D417E8FFC4955D81483D1EBC0F84697
                                                                                                                                                                                                                                                                  SHA-512:A56BFC73537E36EFBA8E09FFD0B2F6BFC56BC4CB4FE90B52858C7AFD5D67DB23CCBA51C8097BEFE4ECB5082BA66C2B2612E2975EF3448252C48B97F41D12D591
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^1...P...P...P..!z=..P..!z<..P.......P...P...P.......P.......P......!P......qP..=...<P.......P.......P..Rich.P..........................PE..L...8d#I...........!.....>..........a........P...........................................@..........................6..c....)..<.... ...............V..X....0..........................................@....................)..`....................text...s<.......>.................. ..`.data...d....P...H...B..............@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.cnf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):638
                                                                                                                                                                                                                                                                  Entropy (8bit):5.242618018191851
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:oOtKAD4cL4jVpfWBzX2TShiucyjmwB//Rmq5FjZijTofkVge1O0lgxErqM6n:ocKVg30ucBwB//Fjc7VgQ6erJ6
                                                                                                                                                                                                                                                                  MD5:D011ED12A4DC54F39CD759858187A2BB
                                                                                                                                                                                                                                                                  SHA1:EC4F5ADDF866E895804F165B11A3113BE2BBDF80
                                                                                                                                                                                                                                                                  SHA-256:149C66BB43535842B1C958BD374C63151A9004F167F84FF4C26D824140D94546
                                                                                                                                                                                                                                                                  SHA-512:D8C126A9D49CABE4F5A7426E8A28C307175705793A0BA00B389A6CF102E1C5B67EAAD86120D18E4255939BA25A16941509FF200645BEAA5ADDF806AAF78D632D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:config_diagnostics = 1..openssl_conf = openssl_init....[openssl_init]..providers = provider_sect....[provider_sect]..fips = fips_sect..base = base_sect....[fips_sect]..activate = 1..install-version = 1..conditional-errors = 1..security-checks = 1..tls1-prf-ems-check = 0..drbg-no-trunc-md = 0..module-mac = E7:9A:3C:79:A6:26:9B:08:C8:49:E6:39:CF:53:1D:51:80:84:F9:03:51:1E:6F:F7:0D:54:99:06:7E:6F:7A:D9..install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11..install-status = INSTALL_SELF_TEST_KATS_RUN....[base_sect]..activate = 1....[algorithm_sect]..default_properties = fips=yes

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):697864
                                                                                                                                                                                                                                                                  Entropy (8bit):7.894512069336346
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:Oek+rZ1rpE3R12+FB0eieQUAD3+yrjxZq0TjhECtMk7cRewV+KGQabw:Oe7PrpEvnFB0eie/EuyXxZq0T/tDcRhH
                                                                                                                                                                                                                                                                  MD5:6988F7203F05D378C5891246FD6BDB8A
                                                                                                                                                                                                                                                                  SHA1:61BF4CC18635D2367079F8D0EFD68D0ADE0649CC
                                                                                                                                                                                                                                                                  SHA-256:E492BDD2BEA606D5FF645B8E79F294B4811CA987FF9D7B53B49079D305F03AD4
                                                                                                                                                                                                                                                                  SHA-512:8DB30DF8B64B283D35BB78BF813D6FCE476E8EEDC77FBFB6780D58316AFF8A9C728A4BBE9D593E60913CC14696EDEBA25C0AFEE3338275E4EB62CEDB6235681E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+..fo.i5o.i5o.i5$.j4d.i5$.l4.i5$.m4{.i5.3j4z.i5.3m4~.i5.3l4q.i5$.h4h.i5o.h52.i5o.i5b.i5'2m4..i5'2i4n.i5'2.5n.i5'2k4n.i5Richo.i5................PE..L......f...........!...)............0 .......0...............................@............@..........................4..P....3.......0...............~...(...4......................................."..............................................UPX0....................................UPX1.............t..................@....rsrc........0.......x..............@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.cnf

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):168
                                                                                                                                                                                                                                                                  Entropy (8bit):4.40567624896974
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:ekfDaZOtK1FA1Jn4R7mvLvn4RYVXKCw/AFLr+TmNfOmZyJn:xiOtKADn4NmvDn42oCQG3+TJn
                                                                                                                                                                                                                                                                  MD5:A43B7D72B482D48804B377D8832C2693
                                                                                                                                                                                                                                                                  SHA1:B1598EFDA8E9863F520ABEF9AAA942C313C002FD
                                                                                                                                                                                                                                                                  SHA-256:9ACDE3809E2C02FE5D6C59153AEFFFE6628996EC5CFB7C2385865DCD1EC8BE7E
                                                                                                                                                                                                                                                                  SHA-512:F0777A8F79E70F8A12F531C3E77F5241E9ED46ACC6A1CBF06FF7A29D91EE281E4CD2A9C1832642992FE74D33B052670F85439E5925FDB7C44DE60014E53712DA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:config_diagnostics = 1..openssl_conf = openssl_init....[openssl_init]..providers = provider_sect....[provider_sect]..legacy = legacy_sect....[legacy_sect]..activate = 1

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):160776
                                                                                                                                                                                                                                                                  Entropy (8bit):7.899895349405453
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:H/sEMdTGyFIYyCYpJLCKbfBzucH7Qt3zgHIlWbKIxUNCWJzQAaDFD:UHUTCwRJbU3zOb7FWJQ1
                                                                                                                                                                                                                                                                  MD5:9E2B825AE78562717311B9D8B92D764F
                                                                                                                                                                                                                                                                  SHA1:B878616DF4D36F6694FB9F1826F7D08D01088AE5
                                                                                                                                                                                                                                                                  SHA-256:A874CA3EC78D406D5C45F9AEEC8A3ACB4E4C9E4677D383F09A2D85CE1B70987D
                                                                                                                                                                                                                                                                  SHA-512:B8C201ED6B856DB07B031A30E6D28C3A5A62DAF39A75265F8AC0DA58C3DAF8ED7609DF91C7A946118D390468A48C6A0AACA5BB7FF501770AF366CAC7F003C6C2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ge[.............~.......~..n....~.......~..........................................s...........................................Rich............PE..L......f...........!...).P.......p..................................................:.....@.........................l...P............................L...(..........................................................................................UPX0.....p..............................UPX1.....P.......B..................@....rsrc................F..............@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):106488
                                                                                                                                                                                                                                                                  Entropy (8bit):6.320283872849081
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:idvQnJ9Cy5G4XmkRCXZ5YPPAq4SjIZUKzFrRjbuPp94H:idvby0lZ5YPPAq4SjIZUKLjbuPTw
                                                                                                                                                                                                                                                                  MD5:8428C29E17CAE62C8379B330C45251C8
                                                                                                                                                                                                                                                                  SHA1:2EE8C04014D6424D98CBA58C3F67B4A0C045B360
                                                                                                                                                                                                                                                                  SHA-256:94AFE8C66336AB54770DFF910AF4F4B7B572F3C843E42B73C8948463614C1A50
                                                                                                                                                                                                                                                                  SHA-512:3621ABE3DD0BFBF1FEAA7F0B4D31056447406321DF66FD60F79A7077F54641DB19DB8FB11B900E182733C35B96EE0555F159F5DD912CE6C17D99B39D8E057052
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K.>..S......#.........:...............0.....m................................rD........ ......................P..o....`.......................w...(...p.......................................................................................text...............................`.P`.data........0......................@.`..bss....4....@........................0..edata..o....P.......*..............@.0@.idata.......`.......6..............@.0..reloc.......p.......:..............@.0B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1336328
                                                                                                                                                                                                                                                                  Entropy (8bit):7.871375711510445
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:B/fqcYYzqZYz970TN1T42xGWD9bujQdC5NNQIpL8575+HZ0tuC+:NHRzHuh1cQGWDRu08Q0L8J5+HZ0tuC+
                                                                                                                                                                                                                                                                  MD5:67998603B05979931B23D16655529E15
                                                                                                                                                                                                                                                                  SHA1:A7EE73C900A3F6EEDFDEFDBC3A2099D5185BAEE2
                                                                                                                                                                                                                                                                  SHA-256:6A08DBFBFBBDEFE80D9CFCDF8BC26C9183A4FFEE24EEE0FA62571381AD28E9D4
                                                                                                                                                                                                                                                                  SHA-512:1BB92EBA016C76CB446FF0152BB13EF6043E05A5E2C14B38080F6CC7DA5CC2E4CC25C88717222917C128DC08F9DA3937E1635FBB21BCC4ABF10B9344CBED2369
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.seb.seb.seb..fc.seb..`cxseb..ac.seb..fc.seb..ac.seb..`c.seb.sdbWseb..dc.seb.seb.seb..ac!qeb..ec.seb...b.seb..gc.sebRich.seb................PE..L......f...........!...).....0....(.`.:...(...:...............................<.....*.....@...........................:.|"...:.@.....:..............<...(....<.....................................D.:.............................................UPX0......(.............................UPX1..........(.....................@....rsrc....0....:..(..................@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):665096
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7123002524702144
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:Q2faLhcqedTWswfIGeXJlte2MU0hFVX2YNGp:Q2CLWJWLI53JwVX22Gp
                                                                                                                                                                                                                                                                  MD5:9CC8906D902382CC11C4D4D3BBED8DBD
                                                                                                                                                                                                                                                                  SHA1:9A73671E7952DE65E8A8CA21ADFABC871E157046
                                                                                                                                                                                                                                                                  SHA-256:CF199C492F0AA0376BE124E74DB1B6B7D5FCC796F37714B777CBADACF3F07E46
                                                                                                                                                                                                                                                                  SHA-512:28857B9BE062229C1DAFDE61444FEAF0A63B888D9670BC878B7BF7E2F41B60533AF87863BE0F6A47FE4E950927EBEA18FAFD32C2D2EB73A28CC5BED602F30DA5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........G.bj..bj..bj.\.i..bj.\.o.5bj.\.n..bj.....bj...o..bj...n..bj...i..bj...k..bj..bk..cj.\.k..bj...n.%bj...j..bj.....bj..b...bj...h..bj.Rich.bj.........................PE..L......f...........!...&..... ...............................................P............@..........................c..$...$m...........................(......lT...U...............................T..@...............L............................text............................... ..`.rdata..............................@..@.data....1.......$...~..............@....rsrc...............................@..@.reloc..lT.......V..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):623056
                                                                                                                                                                                                                                                                  Entropy (8bit):6.452703221703766
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:vcqfl06LEuieb/drb93hVzyp5dl+lyyMKhoRZhD9ZKck9Qh/5Ffdw0CnbHu9gJJt:kqdFzbFrbUp5dl+lyyMKhoRZhD9ZKckB
                                                                                                                                                                                                                                                                  MD5:B03D660319962C265C8A5E6F89CD019D
                                                                                                                                                                                                                                                                  SHA1:289BA87563ABA33D9385C04834745AF4F5BE1882
                                                                                                                                                                                                                                                                  SHA-256:66ECEBD3D11557D42AE33B64E522F371D6D27651B8B7350BEF41F691FAB1465E
                                                                                                                                                                                                                                                                  SHA-512:F5376FE1195A14DCC4F1265F61088EF0452C72DCF17F0B7AA4ED4DB903347C60C9557E556DEAF0244DB0A5F3EA8B7065D7D66BD1638D1EC566EE26110854D5E1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......97..}V..}V..}V.......V..t...tV..t...mV..t...zV..}V...V..t....V..t...|V..c...|V..t...|V..Rich}V..........PE..L......Q...........!.....b..........+*..............................................?.....@.............................Uh......P....................j..............................................p...@............................................text...~a.......b.................. ..`.rdata...............f..............@..@.data...$.... ......................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):342024
                                                                                                                                                                                                                                                                  Entropy (8bit):7.895641722792913
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:1Y2e1wyPJHcHPL4W84QDcsKzJEraJJZ90eGBSemTEMNFrUCoSbL:LaJS0W84QopzJE2JJseGBugMNFhbL
                                                                                                                                                                                                                                                                  MD5:523BA7EBE060B6961722FF97089695B7
                                                                                                                                                                                                                                                                  SHA1:EFC5C558A78CD5DB8F3F0DC510FCFF8EE4876E77
                                                                                                                                                                                                                                                                  SHA-256:EA3795FB2D4CFE2FE70F616E3C5D9BD73DADEA39F8CC3A4BF81389F73352097A
                                                                                                                                                                                                                                                                  SHA-512:A2265D470FCBCC7E0E8AE88B44969768FF1216F76177EE4B9531FB09C980D9D4B1331D41E184BA1F0E66356B5530E7946F614CA7FCEB449B6C1228BC2233755D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t.C..XC..XC..X...YI..X...Y...X...YW..X...YA..XSA.YU..XSA.YR..XSA.Y\..X.@.Y@..XC..XP..X.@.Yq..X.@.YB..X.@.XB..X.@.YB..XRichC..X........PE..L...g..f...........!...).....P......pd.......p............................................@.........................lt...>...s.......p...................(..$.......................................\f..............................................UPX0....................................UPX1................................@....rsrc....P...p...D..................@......................................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1080320
                                                                                                                                                                                                                                                                  Entropy (8bit):6.54617867437111
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:D99IeBE76bZaCUrF0XbuqIpInZVrUCzfk44dH:D9S+EAZeY/UfZ
                                                                                                                                                                                                                                                                  MD5:39F617D7B979F6C6A3F49E3ECEEEDCC1
                                                                                                                                                                                                                                                                  SHA1:5CDD9B895F68D7D33FAA83C1C91A326A24D3D1C4
                                                                                                                                                                                                                                                                  SHA-256:85CBBD4990E82B653C3DE90CE6D873395D501D26652555A95FFA2498AF5B751E
                                                                                                                                                                                                                                                                  SHA-512:8098D896FF87095CBA3F58B73DB8BE820EE453172FC6615A6F6AA86FC2FD1C82D6564EAB37196F919F35AFDD77F40ED8ED27A6F057141FBE5C13E70D410C6691
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....TN...........#.........P.....................q.........................p......3......... ......................p..............................T...(...0...9........................... ..........................P............................text...L...........................`.P`.data...............................@.`..rdata..............................@.`@.rodata..............|..............@.`@.eh_fram ...........................@.0..bss..................................`..edata......p......................@.0@.idata..............................@.0..CRT................................@.0..tls.... .... ......................@.0..reloc...9...0...:..................@.0B........................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):6332416
                                                                                                                                                                                                                                                                  Entropy (8bit):7.4749391416152635
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:196608:+8Co7mhMKgeEyArU3/Rlr4MpWD1Ytty0cBiIgKR9vXooBF7QmQVmdYdlkSIJC7:wchgxoBFVImdYIU
                                                                                                                                                                                                                                                                  MD5:94988930DDDF8B7046EF683E00683698
                                                                                                                                                                                                                                                                  SHA1:420EE1B24BB1CC5C60B3E8D2B0542738DBA014BB
                                                                                                                                                                                                                                                                  SHA-256:FE4DEC84458C29BCD7D00A440522FBF3A5A3F83679282BB24BB8499ED17D74B3
                                                                                                                                                                                                                                                                  SHA-512:319600D9DC7F77D6808B60C3315F652A3DAABD631F780E63DBD4D9EAC9015D023F2432CC4F3ACE8A88785BE3DB2C15F86206C851383EA7DAACAFEB55776E0595
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........R2.h<a.h<a.h<a..?`.h<a..;`.h<a..8`.h<a..9`#h<a..:`.h<a..=`.h<a.h=a%k<a..?`.h<a..8`.h<a..9`pi<a..9`.h<a..<`.h<a...a.h<a.h.a.h<a..>`.h<aRich.h<a................PE..L....=.g...........!...).N...pD.....j4.......`................................`.......a...@.........................0.".p.....".......#.`.:..........x`..(...`^.x...(. .T..................... .....h. .@............`...............................text...3M.......N.................. ..`.rdata..dw...`...x...R..............@..@.data........"..l....".............@....rsrc...`.:...#...:..6#.............@..@.reloc..x....`^.......].............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2006016
                                                                                                                                                                                                                                                                  Entropy (8bit):6.626171499865031
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:9qoyEq23KY0eQlLvw2S5lIuWPtneyJ1bH08P2m:9qvDk/PQlTdSzIuytneyJ1bH0E
                                                                                                                                                                                                                                                                  MD5:89B8CAC8842BF80F3E49E6514E71439D
                                                                                                                                                                                                                                                                  SHA1:52FF66869C27422CA4E67842A027CECE9B461916
                                                                                                                                                                                                                                                                  SHA-256:43EB30D839138C0643E385E9575E06C850F660FFBD443F3F9CB2B35F238BCE55
                                                                                                                                                                                                                                                                  SHA-512:1E4CF691E92FEA86D948C33B19E768C857BF9F39DD51CC9037AD36934889A168969CD0416EC0CCA5884EDE4ABC00C8343A378753B4D199A73C5E335986FF41CE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............f...f...f.?.e...f.?.b...f.?.c.*.f.?.`...f.?.g...f...g..f..Qe...f..Qb...f..Qc..f.Po...f.Pf...f.P....f.......f.Pd...f.Rich..f.................PE..L...*=.g...........!...).............................................................L....@.............................<...............hA...........t...(......L.......p...........................P...@............................................text.............................. ..`.rdata..............................@..@.data...H........X..................@....rsrc...hA.......B..................@..@.reloc..L............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1984000
                                                                                                                                                                                                                                                                  Entropy (8bit):6.631644667714026
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:lKo5RsoQpMzEeW13uF8DBgyB5YCngEf0NoV3kmGOxVG:lF5qtp+bW13uF8gjCgQ0aV3kmGO2
                                                                                                                                                                                                                                                                  MD5:E9DA848945FFB438C2598F88283E6548
                                                                                                                                                                                                                                                                  SHA1:2D6C20165D17A7A52ECB6D4B932339555D013AA9
                                                                                                                                                                                                                                                                  SHA-256:778019739F3BF67632DB749AAB8A938A2D6C385ADB61B8D46EBEF3568582D61C
                                                                                                                                                                                                                                                                  SHA-512:576266102ED10FFD9C6F46850592A28D9887DE402801FD041FAFE3BEC3AFA94DBF647A429CB9E3AD32F3870B96CA85DD1B6F482E6E42E513B4512FC434CF38E3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........f...f...f.].e...f.].b...f.].c.K.f.].`...f.].g...f...g...f..ge...f..gb...f..gc...f..fo...f..ff...f..f....f.....f..fd...f.Rich..f.........PE..L...G=.g...........!...)............................................................G.....@.........................PM.. ...pN..T....0..PA...............(..........X...p...............................@...............@............................text...`........................... ..`.rdata..............................@..@.data...0........V...v..............@....rsrc...PA...0...B..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2107904
                                                                                                                                                                                                                                                                  Entropy (8bit):6.628063200615706
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:JppagIDAbM1lAp7FO/U8P1Hj8q5sP9MxAPkHIq2yid:Hw5cofApBOc8PFj8q5sPyxAPkoq3S
                                                                                                                                                                                                                                                                  MD5:E4615DF54082557B0B9C784428EC320B
                                                                                                                                                                                                                                                                  SHA1:72C93F64E810B944F6499A0FBE00AF7FD04ABD06
                                                                                                                                                                                                                                                                  SHA-256:8B663A51EED6DCFD68AE7C98A889E02FE9DB268B8FDD59C9DEFA264976EEB86F
                                                                                                                                                                                                                                                                  SHA-512:4E9E52FE40F18217BAC0F79B62D03D34EEC640A721304927A46947EB1C9D01D39E0ABF388565873C21BA6459D9B5789A8A9B843E25CE296796399CBEAFD20A82
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............z.P.z.P.z.P4..Q.z.P4..Q.z.P4..Q3z.P4..Q.z.P4..Q.z.P.z.Pny.P...Q.z.P...Q.z.P...Qm{.P...Q.z.P...Q.z.P..}P.z.P.z.P.z.P...Q.z.PRich.z.P........................PE..L...\=.g...........!...).....L.......c........................................ ....... ...@............................. .......|........D............ ..(...P..$"......p...................@...........@............................................text............................... ..`.rdata..f:.......<..................@..@.data........P...\...<..............@....rsrc....D.......F..................@..@.reloc..$"...P...$..................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2351616
                                                                                                                                                                                                                                                                  Entropy (8bit):6.684695815983325
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:zONnFeY38R07gdM5jPxqnRZhleMMS9f7a5qbFjRiTg+T09d:zO1Fx34M5jZqRZneMMS9fW5qbFjl+g9d
                                                                                                                                                                                                                                                                  MD5:B10CE6F86C8E15B661A72466F8F9F8DB
                                                                                                                                                                                                                                                                  SHA1:F266AF59177D39FB01710E297E2967EE387A9377
                                                                                                                                                                                                                                                                  SHA-256:79CC082B28DABC8811F7D63CB34FA046C543A87D896A392FE9D1F7BA5A8609E9
                                                                                                                                                                                                                                                                  SHA-512:BB6D90B2A62524632E1571925C1185F3B0E72710A1FC93F68D0513525130BA88F655A40A67BD1CE0F3D711AE7BB9916A0FA30FC270EACFD21498876C0C7027B8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............l.X.l.X.l.X'..Y.l.XI..Y.l.XI..Y.l.X'..Y.l.X'..Y(l.X'..Y.l.X'..Y.l.X.l.Xzo.X...Y.l.X...Y.l.X...Y}m.X..wX.l.X...Y.l.X...Y.l.X...X.l.X.lcX.l.X...Y.l.XRich.l.X........................PE..L....=.g...........!...).....b...............................................0$.......$...@........................... ....... .......!.`E............#..(....!.h6..p...p...............................@...............P............................text............................... ..`.rdata..N;.......<..................@..@.data......... ..^.... .............@....rsrc...`E....!..F...<!.............@..@.reloc..h6....!..8....!.............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):108032
                                                                                                                                                                                                                                                                  Entropy (8bit):6.392406183079777
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:4DMkwASAlBbybU8rxkQz/g9pV9Z2dcvxp267OKiY+dp9oL:4oASAv9FYUp3OKiY+n9oL
                                                                                                                                                                                                                                                                  MD5:93601A93026211DE5CB00C3827883EEC
                                                                                                                                                                                                                                                                  SHA1:931CBC627272361425EFCAEE6362B041A3FF6E3B
                                                                                                                                                                                                                                                                  SHA-256:1959B8E79F5BC0AB7451F0F362A714572136503C864C974E1088B1951EE592A1
                                                                                                                                                                                                                                                                  SHA-512:53C5F46A1E1F188C429EE686F9CE7E0A8ED5B5BDFA51D8DD3B619B9FD61B8F6EDCC162BCBA667E6336CBED8056F0A17A614170C60059BDB2947770223D19FBC5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.....{...{...{.......{.....'.{.......{.....s.{.#.....{...z.f.{.......{.......{.......{.Rich..{.................PE..L....9._...........!.....&...|......P-.......@..................................................................... r..s....k..(...............................l...`A...............................f..@............@.. ............................text....$.......&.................. ..`.rdata...7...@...8...*..............@..@.data....L.......0...b..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\reboot.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3221
                                                                                                                                                                                                                                                                  Entropy (8bit):5.297235243948338
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:3UoGnVsAdB/+8W3/VcCDO/wAKCRIpCBIweFC4+C/+CYFc:3UoGnVldBWtejp6tL
                                                                                                                                                                                                                                                                  MD5:ABE8E3568B6D951E7DD395DA46531932
                                                                                                                                                                                                                                                                  SHA1:304D81C1B48E16533EF691A9C965818136B9583C
                                                                                                                                                                                                                                                                  SHA-256:EB700422C31C15757A6C70141274A184D291AAC3BDE191A964F75A90BC084143
                                                                                                                                                                                                                                                                  SHA-512:19A79D90883103302BDDBAC8A765C6A5196FB78C223D911633285B4BA44EBFFA9C64690102498E3BEF5991DBA0F28847473A44D4F9AA7D637A4C4D3F1EFEA12E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:@ECHO OFF..rem %1 - mode..set RMode=%1....IF NOT defined RMode (.. set RMode=1..)....echo RMode=%RMode%....IF %RMode% EQU 1 goto close_and_open..IF %RMode% EQU 2 goto normal_reboot..IF %RMode% EQU 3 goto reboot_to_safemode..IF %RMode% EQU 4 goto shutdown_byebye..IF %RMode% EQU 5 goto boot_to_normal..IF %RMode% EQU 6 goto boot_to_safemode..IF %RMode% EQU 7 goto normal_reboot_asrs....echo RMode=%RMode%....:close_and_open..net stop splashtopremoteservice & timeout /t 5 & net start splashtopremoteservice..GOTO end....:normal_reboot..SHUTDOWN -t 10 -r -f -c "Your Splashtop admin has issued a reboot."..GOTO end....:normal_reboot_asrs..SHUTDOWN -t 25 -r -f -c "Your Splashtop admin has issued a reboot."..GOTO end....:shutdown_byebye..shutdown -t 10 -s -f..GOTO end....:boot_to_normal..ver..ver | findstr /i "10\.0\.*\." > nul..IF %ERRORLEVEL% EQU 0 goto ver_nt6x_boot_normal..ver | findstr /i "5\.*\." > nul..IF %ERRORLEVEL% EQU 0 goto ver_nt5x_boot_normal..ver | findstr /i "6\.*\." > nul..IF %ER

                                                                                                                                                                                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):194632
                                                                                                                                                                                                                                                                  Entropy (8bit):6.700953544041196
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:CgElAKvMslbFN3XCm3dbSDcTn6iw5t4FEvQeXyB8LGeph+K:IFD3dmABw5SFEv/ypeqK
                                                                                                                                                                                                                                                                  MD5:4A2F597C15AD595CFD83F8A34A0AB07A
                                                                                                                                                                                                                                                                  SHA1:7F6481BE6DDD959ADDE53251FA7E9283A01F0962
                                                                                                                                                                                                                                                                  SHA-256:5E756F0F1164B7519D2269AA85E43B435B5C7B92E65ED84E6051E75502F31804
                                                                                                                                                                                                                                                                  SHA-512:0E868AD546A6081DE76B4A5CDCC7D457B2F0FB7239DC676C17C46A988A02696B12A9C3A85F627C76E6524F9A3ED25F2D9B8E8764D7E18FC708EAD4475591946F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................9...................................................................Rich...........................PE..L...4.*b.........."!.................C....... ...............................@............@.........................p...........<.......................H.... ..P.......................................@............ ..d............................text............................... ..`.rdata..N.... ......................@..@.data...............................@....rodata.............................@..@.gfids..............................@..@_RDATA..............................@..@.reloc..P.... ......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.version

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):50
                                                                                                                                                                                                                                                                  Entropy (8bit):3.951272380112911
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:ilQC7BRFSRHLgQbLi:w7BTiBbLi
                                                                                                                                                                                                                                                                  MD5:BB568E3396EAB3BC8E5B4084D3288C15
                                                                                                                                                                                                                                                                  SHA1:0C06BC1D72CF0706B7A901F4570A73E4CD151172
                                                                                                                                                                                                                                                                  SHA-256:B648A485B2762EA04CDCFB1C4631F0A75929D1ED8B7C1DF4BB139F0201662643
                                                                                                                                                                                                                                                                  SHA-512:42B379CB8596E258393948B5394FC5840DB3D9B76BEAAACD1BFBFE6C860C3835596BCBD4B31CDFF444A9AFEF46EE617BFD830AE46F08C974186A47DA2ED43272
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:b357f86ce3bce7c232ea242074b17bebdc50b543..6.0.35..

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1042720
                                                                                                                                                                                                                                                                  Entropy (8bit):6.759185121370171
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:a93g4kD8aA+u1xjx1nu+Vu9yHZzsYghdi4YNLNlqx:W3g4kDiLlVu+Vu9yH+XiFi
                                                                                                                                                                                                                                                                  MD5:C3928A25CD29B21B84DF1554B4EA3FEE
                                                                                                                                                                                                                                                                  SHA1:057F67EB18BC2B19CB77AC413141DE255DBD0211
                                                                                                                                                                                                                                                                  SHA-256:79E9D346314609D493344EA0C51AE8E93DEAA5870A105FC07EB29E8458748CBE
                                                                                                                                                                                                                                                                  SHA-512:825FD54D970A7B02C7863C45B574CBF3D51B0CFA33B51681B8D96D5D32771A4EF24EBCE5C57AFF664AB7231279A60871C8967745F87A9698347E4A66E0DB3EAC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d... ............." ................................................................y.....`...@......@............... .......................................6...j...... )......<...`D..T...............................................................H............text............................... ..`.data...D...........................@....reloc..<...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2309152
                                                                                                                                                                                                                                                                  Entropy (8bit):6.414576855139372
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:jH+fGgFyzuNiG6H0n8D1gkrz/OAyFAopdrq/c/:+GgFQq8DT/ZyFDN0c
                                                                                                                                                                                                                                                                  MD5:A71CD05C01F0FC603C0BD782516F806D
                                                                                                                                                                                                                                                                  SHA1:C15E261D5E7318875D324D28AB70A883CD434C81
                                                                                                                                                                                                                                                                  SHA-256:7F8DCF37D9D66EAE14C48A79FA2FCD447BD0F38A21BE0203A9C4A89398AACF28
                                                                                                                                                                                                                                                                  SHA-512:CE53F6DC1F02889ED6FB1F8DF226F9BADBB039F79505CDBD599A00A32B6617DA5E19F2AD7F76BB8134B3CCAD39FAB2209ED8EC6AE42CD30402C4E450FC19FA88
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wq0...^...^...^.Xh]...^.Xh[..^.XhZ...^..]...^..Z.'.^.Xh_...^..._...^..[.m.^..W...^..^...^......^.......^..\...^.Rich..^.........................PE..d....ZY..........." ...(.....\...... 0........................................#......)$...`A.........................................Z!.p....[!.P....P#.......!..W....#. (...`#..>.....p.......................(....U..@...................0Y!.`....................text............................... ..`.rdata...Y.......Z..................@..@.data....a...p!......^!.............@....pdata...W....!..X...t!.............@..@.didat..p....@#.......".............@....rsrc........P#.......".............@..@.reloc...>...`#..@....".............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.json

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32962
                                                                                                                                                                                                                                                                  Entropy (8bit):4.336195794839597
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:+BP5VEsIhKPMEPrT3XCGjDyiEc6BHa21Fe8kFN92uwtEeCJyK:6RVEsIhKPMEPrT3XCGjDyiEc6BHa21Fk
                                                                                                                                                                                                                                                                  MD5:4D015F352BB2E8413AC4215371BC5E35
                                                                                                                                                                                                                                                                  SHA1:ADFF306655001DCD02003372C2AC439A7BE17C59
                                                                                                                                                                                                                                                                  SHA-256:686481AE0DD4F3F7E44B2A4FA2949B319A0F701437CA42FDA78D637EBC2BD298
                                                                                                                                                                                                                                                                  SHA-512:DA871BA710634EF171A80ACD1A473BEB8204E8DF10F375CB999B9FF1A95264C256D5C7E01531F62E8D4A2608BBB858A7C6209DCBE2348E360C7F231861D3CF5C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0/win-x64",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {},.. ".NETCoreApp,Version=v6.0/win-x64": {.. "Microsoft.NETCore.App.Runtime.win-x64/6.0.35": {.. "runtime": {.. "System.Private.CoreLib.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3524.45918".. },.. "Microsoft.VisualBasic.dll": {.. "assemblyVersion": "10.0.0.0",.. "fileVersion": "6.0.3524.45918".. },.. "mscorlib.dll": {.. "assemblyVersion": "4.0.0.0",.. "fileVersion": "6.0.3524.45918".. },.. "netstandard.dll": {.. "assemblyVersion": "2.1.0.0",.. "fileVersion": "6.0.3524.45918".. },.. "System.AppContext.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3524.45918".. },..

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.json

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):159
                                                                                                                                                                                                                                                                  Entropy (8bit):4.54941695087313
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:3Hpn/hdNxDI/pANC+KL4nNOcW3mJAGRM3Bojqy2VKXmHEk/FTy:3Hp/hdNyhAk+Q6NOCUo+K8EkNTy
                                                                                                                                                                                                                                                                  MD5:3FBD84A952D4BAB02E11FEC7B2BBC90E
                                                                                                                                                                                                                                                                  SHA1:E92DE794F3C8D5A5A1A0B75318BE9D5FB528D07D
                                                                                                                                                                                                                                                                  SHA-256:1B7AA545D9D3216979A9EFE8D72967F6E559A9C6A22288D14444D6C5C4C15738
                                                                                                                                                                                                                                                                  SHA-512:C97C1DA7AE94847D4EDF11625DC5B5085838C3842A550310CCA5C70BA54BE907FF454CA1E0080BA451EACFC5954C3F778F8B4E26C0933E55C121C86C9A24400B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1245448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.769261315323123
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:cxvknPxKYMVXllgnURGXuYl9wCi1Io+bZr:MvaPxKYcX8nURGX0CiY
                                                                                                                                                                                                                                                                  MD5:97F73DE2693B5F6EF780513E9179DDCF
                                                                                                                                                                                                                                                                  SHA1:EC998FAE441D1761960E1A1937EEADF60AE2ACC0
                                                                                                                                                                                                                                                                  SHA-256:92F5BAC23616A987292E4D65AABC8F16D102BAF50C1785A41C38305BC99A20B7
                                                                                                                                                                                                                                                                  SHA-512:98CE22DC95F50DA11F9828C9777DEF21AAB1EF95FAC938388766E2989C134F72896C7C8E1F686CF45077096879CFFD277CF94A7DBCECA238FD9BA0169DE8A14D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...a`............" ......................................................................`...@......@............... ..................................L........k.......)......l...(D..T...........................................................P...H............text............................... ..`.data........ ......................@....reloc..l...........................@..B............................................0.......................<.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............d...^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........R.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):26376
                                                                                                                                                                                                                                                                  Entropy (8bit):6.566822188548986
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:TWhPTpWvZWnjmMDQnqyXhHuo0XWjYA6VFHRN7KW+ONSR9zdVHJ3:eVjm5n5XdCIFCl7BNe9zh3
                                                                                                                                                                                                                                                                  MD5:1F61CBDDE703B882F07EF7D71C3D3D25
                                                                                                                                                                                                                                                                  SHA1:F09B9EC89343C7EBACCA3C956859F46A30BCE04D
                                                                                                                                                                                                                                                                  SHA-256:B64A75F89C611F4CF88EC9AE85BB34D719578B01C106B16E2E8703694ABD1B0C
                                                                                                                                                                                                                                                                  SHA-512:78A90230E462F2AFE911E88E974FA7976D957DEFD3FF04C9B141D970AE25F29BE3F70C1D4ACFEE43C319FA80A142663B66EC3CE073EDB8AC99616720CDD0BB96
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...i............." .....4...................................................p............`...@......@............... ..................................D............>...)...`..\...8...T...........................................................H...H............text....2.......4.................. ..`.data........P.......6..............@....reloc..\....`.......<..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Registry.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):87824
                                                                                                                                                                                                                                                                  Entropy (8bit):6.609888713325627
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:61Qcxml5haPYOueQFjym3sykEomWxGsVico5Bkbxliw33zC:61QIml5wPY3Fjy5ykE8xGsVicCBsXp3O
                                                                                                                                                                                                                                                                  MD5:EA5EF3E9C8F7A2A240ADB2D2D225AC01
                                                                                                                                                                                                                                                                  SHA1:EF69C741CF3CE92CC5B68E825C9E9796BAA9246B
                                                                                                                                                                                                                                                                  SHA-256:8609E30FBDE9BFE93B51A31E27963C44195EAC284904F5EA19E435E81CC9293D
                                                                                                                                                                                                                                                                  SHA-512:98C6B84FCB38F35E281265B7DD046A1CDFC1A31F787A011FE8227478C7D7C38AEBB09D350BAD457A115555BE28B7A6FD78659AC5A26AAF8A5B7970C25B19260D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....p..........." .........................................................`............`...@......@............... ..................................8...p............)...P..........T...........................................................8...H............text............................... ..`.data........0......................@....reloc.......P.......,..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):666288
                                                                                                                                                                                                                                                                  Entropy (8bit):6.78661325216844
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:W36Xx8oDIB+7QBj0YBC6WXz66M4cRuco/oMy5iu:W3EWIX5at
                                                                                                                                                                                                                                                                  MD5:1B93945C7F04740122C60D8C9221654A
                                                                                                                                                                                                                                                                  SHA1:D19F777B688704693BDE7C8B0456D8D82D8B3AB4
                                                                                                                                                                                                                                                                  SHA-256:0C23E0E757D0DBF213A6BBFF8A76336D0AE762547EE898FA6F03F4C1A11C63C7
                                                                                                                                                                                                                                                                  SHA-512:23319E803AB3A271812FE3BFBBA76EDF33D8F13C446CABA164BE1E68C0645B4D119818644642F15A02C266FE65090688D3734CB8BFD0A61D81B5136E77C1AC88
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...nP............" ......................................................... ............`...@......@............... ......................................,...P^.......(...... ...."..T...............................................................H............text............................... ..`.data...:.... ......................@....reloc.. ...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...v./...C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e. .p.r.o.v.i.d.e.s. .c.o.l.l.e.c.t.i.o.n.s. .t.h.a.t. .a.r.e. .t.h.r.e.a.d. .s.a.f.e. .a.n.d. .g.u.a.r.a.n.t.e.e.d. .t.o. .n.e.v.e.r. .c.h.a.n.g.e. .

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):101144
                                                                                                                                                                                                                                                                  Entropy (8bit):6.476048974487395
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:vfgNzmjhqPdxPhjxSd+XBQCvePLDrnsrpyi3:3Nhq0FsE4
                                                                                                                                                                                                                                                                  MD5:67FFDB95AB55A741D15CCCD4C7B75DBA
                                                                                                                                                                                                                                                                  SHA1:D73B4BFBF850A3184990976B959CF08F925FBD08
                                                                                                                                                                                                                                                                  SHA-256:1F8D33569B15DB329B49388E6DC03A9121739F2F4155901761A56CF66CFA2477
                                                                                                                                                                                                                                                                  SHA-512:744E2409DFDBF41B4E1A568B0323FBEDB3F08368C812664CF7B7CF0F4FA269C7641CCC3BDC82075B97494829CF29D08E928BCE8AB4290B312EB6AB7CB8249758
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....u..........." .....L................................................................`...@......@............... ......................................(3.......b...)..........H...T...............................................................H............text...0K.......L.................. ..`.data........`.......N..............@....reloc...............`..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...N.o.n.G.e.n.e.r.i.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Specialized.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):95496
                                                                                                                                                                                                                                                                  Entropy (8bit):6.534791453724649
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:jWfjc8LAhPvoiTCxaDVvkDTC5O7/LyY204yhpVeypoi8C4dezFc:j0QsAZNBsDTs+zyY204yhpVey6dIO
                                                                                                                                                                                                                                                                  MD5:2BB568CF400E0890E8AA25DA5445D3FF
                                                                                                                                                                                                                                                                  SHA1:15C9D61A4EEFA521E7FD3FD51DF60AF80486FFED
                                                                                                                                                                                                                                                                  SHA-256:49577AAE05031B386CB8C04275047ECE9A0D63A6C4BBDFB1A4AE3B7841761CE3
                                                                                                                                                                                                                                                                  SHA-512:C2616137D3D41CF9F1A3F89F4F891C7DB09C18332CE5367C433C868E38DC9AF34D7A5D29D6023464F4250DB5EB1124319ED2A04BE2CEE9371391C7C498D8992A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....V............" .....6..........................................................O.....`...@......@............... .......................................0..h....L...)...p......P...T...............................................................H............text...x4.......6.................. ..`.data...\....P.......8..............@....reloc.......p.......J..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...S.p.e.c.i.a.l.i.z.e.d.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):264992
                                                                                                                                                                                                                                                                  Entropy (8bit):6.761266470511353
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:30bzt+JuwscekH2KrzQ5t056pAje2l3qZ7CLzG:35JuwDvHQNW27CLy
                                                                                                                                                                                                                                                                  MD5:ECAF66EE198849D3200E028C0A31CE8B
                                                                                                                                                                                                                                                                  SHA1:521E58557861EC5E549BFE9836E6E54C55E7F38A
                                                                                                                                                                                                                                                                  SHA-256:193A45006B2330E29C5FC6D0D3F92C269D9E9BDF1FA141E51B0A07909B7A02E8
                                                                                                                                                                                                                                                                  SHA-512:A5A73B4D1C6D3E346FC7DC85CD1E77181F2946FE99F0181B7BE68B98D8319718A07D4707DD3F709778175D3FDE73915B9AFED8FC451210D93CC596C8DF6CD8F8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...6e8..........." .........@............................................................`...@......@............... ..................................t...,].......... )......,.......T...........................................................x...H............text............................... ..`.data.../9.......:..................@....reloc..,...........................@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...C.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):187192
                                                                                                                                                                                                                                                                  Entropy (8bit):6.462092532995058
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:l7PmpgPixtBuguLv7F8IbGumTG5D5/vbF6V+F7LWYkQ6v+P0:FepnxeB1QG5lF7qtQ6v+M
                                                                                                                                                                                                                                                                  MD5:39FAEB8118FD29C6205C0A2129E91454
                                                                                                                                                                                                                                                                  SHA1:560A13F6BCAFB43B40F51770E6E2268AA2B37B4D
                                                                                                                                                                                                                                                                  SHA-256:8146999337103583BB15FFD1D5DA680D6FE35F594A5AE49EDCFF5A16BD8B7B74
                                                                                                                                                                                                                                                                  SHA-512:2631B643253CA643CDA19B9E3AEE72131EC5EAC4B7B81821DC45EA57B2A4CD23420A7808D979E90A609BE3D338BBC278F986E801001D92DC342FDF92ECC12F0D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....2w..........." .....v...:......................................................[.....`...@......@............... ...................................... G..........8)..........("..T...............................................................H............text...*t.......v.................. ..`.data...a4.......6...x..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...\."...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...A.n.n.o.t.a.t.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...l."...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17672
                                                                                                                                                                                                                                                                  Entropy (8bit):6.642694010569177
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:m8imyfJe9eGXx44sAcUUWudXWwYA6VFHRN7T2lNbZR9zah6:m8j+nxTFClTsFT9zn
                                                                                                                                                                                                                                                                  MD5:399D1C1EE94247E9EF6500A017A71C1B
                                                                                                                                                                                                                                                                  SHA1:822F0321519EB59D625175CBF1A655F2F7699A9A
                                                                                                                                                                                                                                                                  SHA-256:D6693E0D5F2F24774E991A351F97D740E75A73FAD20295C4E2DDD51D9B65B6BE
                                                                                                                                                                                                                                                                  SHA-512:F577118238FC96FDACFE23CA6D37AA736CAD858022E20E65D881C7D06648D2D4EBD5E80E8F5B398E95A8F1DCE4B653022D71371AD9C75E514F687DA7359CD6A1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............0... ...@....... ...............................r....`.................................;0..O....@...................)...`......8/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................o0......H.......P ..h...........................................................BSJB............v4.0.30319......l...D...#~......L...#Strings............#US.........#GUID.......X...#Blob............T.........3....................................+...............M.p...P.p.....]...........................O.....7.................>.....[...............................9.....p.................W.....W.....W...).W...1.W...9.W...A.W...I.W...Q.W...Y.W...a.W...i.W...q.W...y.W.....W. ...W.....W...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):38672
                                                                                                                                                                                                                                                                  Entropy (8bit):6.487371211774158
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:2IzyrkRPK1c3I484t6gu2FClLsl9zal7pQ:2IzBP8c3z6guiiLs3zarQ
                                                                                                                                                                                                                                                                  MD5:F81A8E96C4B41133CE2FBA56D63F4C22
                                                                                                                                                                                                                                                                  SHA1:85849958E58BF6A9FD5BEFDB67FF98842E6466B0
                                                                                                                                                                                                                                                                  SHA-256:77367BEF47DE9D2DEF9C606906A84D733A1D688BCF7299956828FB54C6A36422
                                                                                                                                                                                                                                                                  SHA-512:65102174EDF155614F696E1A251A2DD6A69176B61211EC5194067FE203D6B73D91D6A8E6E9D63188DD8A76BAB051E7EB77BEF00D7C569A798E53CD9BF20B1A27
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....%..........." .....b..........................................................T.....`...@......@............... ......................................$...x....n...)..............T...............................................................H............text...Ra.......b.................. ..`.data................d..............@....reloc...............l..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...d.&...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...E.v.e.n.t.B.a.s.e.d.A.s.y.n.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...t.&...F.i.l.e.D.e.s.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):75424
                                                                                                                                                                                                                                                                  Entropy (8bit):6.41974698596593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:P2sgnMIPQZQmsB2q+mKl/Q3mb1yF0YDC2oKQ15hC9QQs2mDLFClKmoQ9zRhoy:OsgXcmKmWYFlC2oKQsi3iKmVzRh
                                                                                                                                                                                                                                                                  MD5:596B37F463658FD24CE29F3F25C6628A
                                                                                                                                                                                                                                                                  SHA1:BE186A42FF6EE13C7F2546C3A7CAA622B4829FA7
                                                                                                                                                                                                                                                                  SHA-256:9B05AF160EFFCE0A352E0FB722350221A1F2A41010EFF10E769C12C3C28ABF10
                                                                                                                                                                                                                                                                  SHA-512:B03607DB59376501B6AFF0A0D04FA49B4CD106D9E009D5CBA006C6909A04BAD74FEAACAD0FE40704DA34D1D6AFD34F26D97C8B1090E4B6A177F52CEB5ADD4D54
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....A............" ......................................................... ............`...@......@............... .......................................&...........(..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...P.r.i.m.i.t.i.v.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):747280
                                                                                                                                                                                                                                                                  Entropy (8bit):6.696052130941475
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:Yq+dHPXqf5N+iMMturyUV8mIEUGKea0RAh5RNFRSll++KzUmw/BndUMHz6ifKjFW:yv+N+iMMturyU+m6RNFZUmw/BnfT6KK0
                                                                                                                                                                                                                                                                  MD5:97D87D45E05EAC86E89F33FFB66DD9CC
                                                                                                                                                                                                                                                                  SHA1:3B29D3210B4A1ABC1D2876599F776950E56C3451
                                                                                                                                                                                                                                                                  SHA-256:52BE87AB0CD386C0BE9538E44B9D1432BCF28370E98D568CBDAB409C84EC1889
                                                                                                                                                                                                                                                                  SHA-512:94834AD8ABB9F99E779D1DBF15502CA918B8D89ED83027CBDE5B7C8C15CBAF325286F4C127396E725F4490881D247EC411FD23E6D71C1B1C60A2C83366C18F06
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....._..........." .....n...................................................P......V.....`...@......@............... ..........................................<]...>...)...@..$...8=..T...............................................................H............text....m.......n.................. ..`.data................p..............@....reloc..$....@......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...`.$...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...T.y.p.e.C.o.n.v.e.r.t.e.r...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...p.$...F.i.l.e.D.e.s.c.r.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18696
                                                                                                                                                                                                                                                                  Entropy (8bit):6.596746437040324
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:LW4X1Wove+Scpij+uCozWEdYA6VFHRN7QHWMR9z2QgW:/RScci4FCl8Z9zzgW
                                                                                                                                                                                                                                                                  MD5:0C8FF2C70D84FB0202750D8A19E0EC20
                                                                                                                                                                                                                                                                  SHA1:0BCE9D795D182291948DA212B728CA3476D58F58
                                                                                                                                                                                                                                                                  SHA-256:651C26058CD4C530458E740923E4CA85F76EEF6FE9E915631678800E9AD7E862
                                                                                                                                                                                                                                                                  SHA-512:872D7DB41EA2941B9305C6702A18F32E8C3F9EB363E239CA2851D5F9EF7B724BD0D6B034FDEA07419A08CC30B7F8F667F2924E25180126F5CE747EB93C7987EE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....*u..........." .........................................................P......B.....`...@......@............... ..........................................`.... ...)...@...... ...T...............................................................H............text............................... ..`.data...N....0......................@....reloc.......@......................@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):19744
                                                                                                                                                                                                                                                                  Entropy (8bit):6.575603714433907
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:aXoWX0yXQB1uXTSv/fvNRvGZYdf3zyP/weZvEydDgWvfNWZUX6HRN799R9zrJRri:1niZvVCcWF9ze
                                                                                                                                                                                                                                                                  MD5:A559E0096F62D213A900AAF749F08F5D
                                                                                                                                                                                                                                                                  SHA1:31C37CAAF3F0FA6C6ECE9E3C98E905FFF921AF1C
                                                                                                                                                                                                                                                                  SHA-256:7B5BD709929BE586FA1B95B7066C3A4AD9B5462FB1F7714BB39E6DDFD3B54148
                                                                                                                                                                                                                                                                  SHA-512:B9803794E42E984BA841D5A32BE8553FEB9CABED2E59866B35E73D3AF3641FA9D60207F98254BA923F9B9AA902BF08941B545F19310B4596CD097B01F22FBB7B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7.(..........." ..0..............9... ...@....... ...................................`..................................9..O....@...............$.. )...`.......8..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ......................88......................................BSJB............v4.0.30319......l.......#~......h...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................h.....D...............s.......|...............D.z...............Z.................0.....M.................<............."...,...................v.....v.....v...).v...1.v...9.v...A.v...I.v...Q.v...Y.v...a.v...i.v...q.v...y.v.....v. ...v.....v...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):156936
                                                                                                                                                                                                                                                                  Entropy (8bit):6.5995271738923975
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:h3J/DYsIem43AYT+a5TfaEPvbKwUJmOaYIEipy50K:X/DyWqaFCGmdIcIEbb
                                                                                                                                                                                                                                                                  MD5:7710279322A362C928BF36639EFFBF81
                                                                                                                                                                                                                                                                  SHA1:2B679CA3058DC2A5C90F40D3C1A98C9553098AAC
                                                                                                                                                                                                                                                                  SHA-256:1842EFE9037300ECE2E81E40EC000FA9338A4C786CBCFED0B47DD05B1C4E77EB
                                                                                                                                                                                                                                                                  SHA-512:085C7342AECA9F65B9E3774BF2E84AC9D703D66F764678ABC79A1AB8D5F82BE59B50BA97B53303956F2DEB055553B419E91DE8002E8D219FB38AD933EC802ADD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........$...............................................`............`...@......@............... .......................................<.......<...)...P......h...T...............................................................H............text............................... ..`.data........0... ..................@....reloc.......P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):24336
                                                                                                                                                                                                                                                                  Entropy (8bit):6.299107673471786
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:/sIbPFWOUSnPEW51b04H9DGMq/tE8aQjryAkxkBm4U1zXtrC1IIKrWXi2WUYA6VJ:/vPFWOUSnP751b04H9DGMq/tE8aQjryz
                                                                                                                                                                                                                                                                  MD5:9354C7BD9F23D4899200DAAA3BE37296
                                                                                                                                                                                                                                                                  SHA1:440D5E15680AB4BCCDD656E598A12C8884A56390
                                                                                                                                                                                                                                                                  SHA-256:25D934AB5109749874D2FC86A356DB68DF98DE7F1A5857E3F2B8744173B1B8D5
                                                                                                                                                                                                                                                                  SHA-512:3549F0275E7C848EB7E3E3EB7B881C846F73D3F8448C3F5032E10A49A245D7310D3643B6A605A55DA88CC90F3DC6F132A26812A763580B0B36A81B8CC4AC3932
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>............" ..0..,...........J... ...`....... ....................................`.................................CJ..O....`..8............6...)..........tI..T............................................ ............... ..H............text....*... ...,.................. ..`.rsrc...8....`......................@..@.reloc...............4..............@..B................wJ......H.......P ...(...................H......................................BSJB............v4.0.30319......l.......#~..........#Strings.....%......#US..%......#GUID....%......#Blob............T.........3............................................................................1.N...c.................y.....0...........].....z...................................K...................[.....[.....[...).[...1.[...9.[...A.[...I.[...Q.[...Y.[...a.[...i.[...q.[...y.[.....[. ...[.....[...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.Common.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2983584
                                                                                                                                                                                                                                                                  Entropy (8bit):6.807191200324224
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:TyNlk2vtvXwQdjfbPQ+EPba92I7aE0Vnv1XgVi4nNmch7cDpBsKTzkt2BeE:T+VdLX3Sv
                                                                                                                                                                                                                                                                  MD5:E6421C7A5CF51CB5B5706BF00AA01B4F
                                                                                                                                                                                                                                                                  SHA1:12876E56B267E945FB709D9B5703009872D1A4F7
                                                                                                                                                                                                                                                                  SHA-256:272042F39223A4445CCCAAE2490C8291CBA723A1C30B61DB7603C218C69216E1
                                                                                                                                                                                                                                                                  SHA-512:B8597038DEFDD8BC8ED07BF56903E7E85D4B427973C473F60920EE53AB04CBFD7BCA488AFC5B659116BFA62A3B95769A690496A34B95647DA1F1E65E13217E6D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...].q..........." .....r+...................................................-......m....`...@......@............... ..................................t...@&...K...^-..(...`-..&......T...........................................................x...H............text...7p+......r+................. ..`.data.........+......t+.............@....reloc...&...`-..(...6-.............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.a.t.a...C.o.m.m.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...D.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25864
                                                                                                                                                                                                                                                                  Entropy (8bit):6.25146842792214
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:aBaJC9XmGP2SoxDZQj/6YWiXFW5YA6VFHRN7JKdpR9z+pttXEv:awsXmJDZQ7EFCluD9zWjXe
                                                                                                                                                                                                                                                                  MD5:457D34A9E93C95B0E0927741C43C706F
                                                                                                                                                                                                                                                                  SHA1:56C5AE9397D703F211CBF109CFC86EA5AE16DFCB
                                                                                                                                                                                                                                                                  SHA-256:434C2AEAEC2DED6A904FF16256412128FC0FA57DC6B54A1626E8F4558A14646B
                                                                                                                                                                                                                                                                  SHA-512:DD8759ED49410BB0086638A9101DF294D4A67C56ACC4509B26FC6DC136FE8A194E76747261218EED92E5DCB47365FD91262D1D8D38CA6F47B2B4BACD82E811CF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..2...........P... ...`....... ....................................`..................................P..O....`..8............<...)...........O..T............................................ ............... ..H............text....0... ...2.................. ..`.rsrc...8....`.......4..............@..@.reloc...............:..............@..B.................P......H.......P ......................HO......................................BSJB............v4.0.30319......l.......#~......0...#Strings.... ,......#US.$,......#GUID...4,......#Blob............T.........3....................................<.....[...............:.................A...........o...........!...........R.....Z.....w............................... ...........#...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16152
                                                                                                                                                                                                                                                                  Entropy (8bit):6.794991722289914
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:9WxAgNW6i2Wp/X6HRN7AtIJVXC4deR9zVjxX:98m1WQgVXC4dC9zVjF
                                                                                                                                                                                                                                                                  MD5:E815C8AE914EE40BF8D404FCA79D5753
                                                                                                                                                                                                                                                                  SHA1:1E754EEC56B0762A99640B3B5537CB6F1FA81AE7
                                                                                                                                                                                                                                                                  SHA-256:89E4C33A4B7BA60A748A9EA3D5D1413AF0AB63CD29117F159FDCEF5779BD9359
                                                                                                                                                                                                                                                                  SHA-512:654D7B3AEFA8C29002247DB18807DF777421C94FC8E6ED4C8C013EC5828F142581DE45D2A1132C8D6BE7A2DEEEE2ED0F60F19EC78B94905245E3E5A52D23A67D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{..........."!..0..............+... ........@.. ....................................`..................................+..W....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................)^.O..(.+sY.R.T...!%s.R...F4}c..X..@..1..sh....}...........e..Enr....F..P..."...N......."l......S..^ zs...R/o..`@..i...h..;BSJB............v4.0.30319......`.......#~......H...#Strings....8.......#GUID...H.......#Blob......................3......................................Z.........9.........................,.....{.........F...........5.............................#.....p.........................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):380576
                                                                                                                                                                                                                                                                  Entropy (8bit):6.735643509984664
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:xNrYIYO/3uqTtasHnkWg62wafPoSVsybyCrEVYEHJ01TxJS:jV3ukBkwoPACrEVtKfE
                                                                                                                                                                                                                                                                  MD5:FFC6107F4CF962DECA6085FD6D6943E8
                                                                                                                                                                                                                                                                  SHA1:DA6366AA3DCF4862A4A110BEFF4EE185D64BD5DD
                                                                                                                                                                                                                                                                  SHA-256:394B562E8F1B4A2D75C86A0CCC26434A9965AE478A81978700A510005A987B81
                                                                                                                                                                                                                                                                  SHA-512:158D082C2377CFACBCEA79733C6023555B715061004ECE84998A9C5E86B63ED9F451A91946E60EB38FE915C7BEB44534F18FDE8C3FF7AD9E15233AE8743B4955
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...w.B..........." ................................................................8^....`...@......@............... ......................................`....+.......(.......... )..T...............................................................H............text............................... ..`.data....}...0...~..................@....reloc..............................@..B............................................0...........................X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .C.l.a.s.s.e.s. .t.h.a.t. .a.l.l.o.w. .y.o.u. .t.o. .d.e.c.o.u.p.l.e. .c.o.d.e. .l.o.g.g.i.n.g. .r.i.c.h. .(.u.n.s.e.r.i.a.l.i.z.a.b.l.e.). .d.i.a.g.n.o.s.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):290568
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6831877089166865
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:jzvmR+TsVz/xZOkeijuG3yxs9b3NX1PkxBqqS7s03sx5Z+:jzeQTsVz/xjXjuGCjDr03sx5I
                                                                                                                                                                                                                                                                  MD5:29C2F7BBC8B17C8787ABB4D7EDC11DC6
                                                                                                                                                                                                                                                                  SHA1:79A2F9ABB8F4FED3A75962E21A8A0064F4633DB3
                                                                                                                                                                                                                                                                  SHA-256:B5AD22BF61562E5335CAB0D16233485F1E01B21556EEFA2F47E1C3E8FD5F6BF2
                                                                                                                                                                                                                                                                  SHA-512:A9C9EBBD52A4CF5C52D94F3810E21899C931BACE4C20B2923D26193F319BB07E23DDEF26B759EA45D31BAB9913421A99A772CA55918FAB4172C350BF605A96AA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....V............" .........P...............................................p......*q....`...@......@............... ..................................D....m...!...F...)...`......@&..T...........................................................H...H............text............................... ..`.data....H.......J..................@....reloc.......`.......@..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):36616
                                                                                                                                                                                                                                                                  Entropy (8bit):6.537255863264118
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:yt4gYfq6ejoniqkwx38n9Is/mjSTsssssssss4FCl3MFT9zC:yLYfq6ejoniqjx38n9IbjSzi8TzC
                                                                                                                                                                                                                                                                  MD5:C192A6B88DCA4AFD2A042C79A68155CC
                                                                                                                                                                                                                                                                  SHA1:B13A8B843D0735377C6A127565721019E54365D9
                                                                                                                                                                                                                                                                  SHA-256:27DD8C3DC2F22B40CFA443FC7B9A33520CEEC581A158042E9DD2451507A58105
                                                                                                                                                                                                                                                                  SHA-512:85B8E16B9BED456735B422FE726FFA1D3AC7FF5718F017E60829E3245DC1F454F077976E1140B168BC0D261D94B0636A2B4BC9918BBEB486B8A388BF0108E9F6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....d..........." .....Z.......................................................... .....`...@......@............... ...............................................f...)..............T...............................................................H............text....X.......Z.................. ..`.data...~....p.......\..............@....reloc...............d..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...S.t.a.c.k.T.r.a.c.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16032
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6902230677661985
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:oyVTAixxeH/WQcUWyRpWjA6Kr4PFHnhWgN7aIWZBzDoSJj+iX01k9z3AmCNGuY:Nco8H/WQcUWGYA6VFHRN7oDX+iR9zZgY
                                                                                                                                                                                                                                                                  MD5:8E4C6E5CE84FBC5DAEE123ACD66AFF89
                                                                                                                                                                                                                                                                  SHA1:3729A072623C64EB9C68DAF3EB8B982990A686AE
                                                                                                                                                                                                                                                                  SHA-256:DEFFF523549F8128A9B5ADBAA175BB186748A1DE7D3B1DD4200C0C4FF9E8257D
                                                                                                                                                                                                                                                                  SHA-512:3FF7B996FD7F1C7D230F39683847FC6D1842E844B517397284D9EF2E453739E49CC75BF6A039A073C23224BB9A54798396CA98C6CFBCCC1210BE71EFAE5177B0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3............"!..0..............*... ........@.. ..............................'W....`..................................)..K....@...................(...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..L...................P ........................................Y.%"...%Do}....$fYdO.V'1Ag.C..d.bx..1y4.,.F...<...m..)%.?.t...r.|;.i.~.M8p.....1D.|......x.O..b.H_............N..... .T.;BSJB............v4.0.30319......`.......#~..H...H...#Strings............#GUID...........#Blob......................3......................................Z.........s.........................,.....w...N.....F.....0.~...!.~.....~.....~.....~.....~.....~.....~.....~.................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):133416
                                                                                                                                                                                                                                                                  Entropy (8bit):6.551188165832685
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:bHjrVA3Ua/8lVkCAnPL0FlgsMzj2OE20esM9eVriqRIL8dXmty6lH4ziWzD:bvV7a0bg4F+sAaj2SM9eVriE2ty6B+NH
                                                                                                                                                                                                                                                                  MD5:AFB7C185FC983D0533BD729B121CB108
                                                                                                                                                                                                                                                                  SHA1:6FA0484D54708288F94AA6FB0AD6BE3D5F208656
                                                                                                                                                                                                                                                                  SHA-256:61C7903D1CDA2298112BCD7A0F57F1F76548A09CE7C1DEFE8D65A6B42268B4C5
                                                                                                                                                                                                                                                                  SHA-512:7380FBF5935FC2579E84923378A3EFA2C3D8F6E4954FF9F5D8007663B55ED33E81FE05A059A5E35A240A501BC298338FCAD885A579C78CD799CFABE47BC1D040
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................k.....`...@......@............... ......................................L@..........()..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...T.r.a.c.e.S.o.u.r.c.e.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):130312
                                                                                                                                                                                                                                                                  Entropy (8bit):6.3785881753390115
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:b21fgY6c2/Pwp2Hj/ygb4xfHIKHnT6IdI0WkHLbjypy6hKl:y1fwyyzKHm+ljrkc
                                                                                                                                                                                                                                                                  MD5:0D17F379D5E18424C1CDBA037DFE8E02
                                                                                                                                                                                                                                                                  SHA1:F1D1FF0FD4E3A32AF9E7A2B0EB3D0FEC4586B185
                                                                                                                                                                                                                                                                  SHA-256:AE4D4D0A9018A3BEE1D1AAADE35872840223B6EA80F42F9ABC8CD94D0173582E
                                                                                                                                                                                                                                                                  SHA-512:8476EA5D21925EAC7007A0C0F48E3AB95D37B4E1C501FC321ACC41BC0D8E5FF59293EB6AB54314797759AF48997C21204BDE91014BF8C7F553F79471BAF6BC73
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;.g..........." .................................................................S....`...@......@............... ..................................8....0...........)......,.......T...........................................................8...H............text...f........................... ..`.data...f...........................@....reloc..,...........................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16648
                                                                                                                                                                                                                                                                  Entropy (8bit):6.682833908003748
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:OGMeH1jyMWsmCWpYA6VFHRN7YpjNbZR9zahO:D1SFFClWjFT9z3
                                                                                                                                                                                                                                                                  MD5:0B5B4A265DF1687CD6CE5A5C0C2B257F
                                                                                                                                                                                                                                                                  SHA1:FD358CEDBDC44A8635831A27BF201E557564EC4B
                                                                                                                                                                                                                                                                  SHA-256:1CBD5B22FE6CC0701B8C0A8BDE7D47C9E98FF36F878D7AB21EF6DCC2E07031E7
                                                                                                                                                                                                                                                                  SHA-512:8764648F88EB51273A25C46E4F87E41DE3F544F56510670D1AA7C10A1393E9B647813AEDD177A7A4D0BEAEF446A7DBF20E00F884071BA4CA08A7861204D739EE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...."............"!..0..............,... ........@.. ...............................e....`.................................\,..O....@...................)...`.......+..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........ ......................P ......................................u6.R6.;..$..y..3+L.,..q?-C+&Mw,me...z.....%.~...L..>.W...5.m.6........h..u.C.W....5..B..[...... ...5.;..........?B|c:c.AqBSJB............v4.0.30319......`...P...#~..........#Strings....0.......#GUID...@.......#Blob......................3......................................>.........W...............................Y...9.r...j.r.....r.....r.....r.....r.....r...w.r.....r...........#.................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):200456
                                                                                                                                                                                                                                                                  Entropy (8bit):6.678151949832614
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:vfjQgR2Iits3cbSjp74Cmwkv9Rc5ff3MAdI:vfUy27tScbSjp74CmwTvM0I
                                                                                                                                                                                                                                                                  MD5:0F50B814E03E5D788050A64A02E79186
                                                                                                                                                                                                                                                                  SHA1:F4784DE5C05420D20962911E8A9C25BF4A5472EC
                                                                                                                                                                                                                                                                  SHA-256:62EE5698F9DD0429111B6E206E681774A9A61B89DE860632BA1F1E669E2B4B67
                                                                                                                                                                                                                                                                  SHA-512:1509426BD27ED3722FF8AAE7BED13FA4BF0DD51211ADE6CA7EF564782952E2A7A4DE3365253A0EB59CD66604D6689F4055AA7977F4E3792188A74316048671DF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...r............" .........(......................................................e.....`...@......@............... ......................................XO...........)........... ..T...............................................................H............text............................... ..`.data...1".......$..................@....reloc..............................@..B............................................0...........................H.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...j.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .c.l.a.s.s.e.s. .t.h.a.t. .c.a.n. .r.e.a.d. .a.n.d. .w.r.i.t.e. .t.h.e. .A.S.N...1. .B.E.R.,. .C.E.R.,. .a.n.d. .D.E.R. .d.a.t.a. .f.o.r.m.a.t.s...........

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.829197730895101
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:PluRPWYRgcRp0RjW2X6HRN7wnipR9z+pt9Pa5:PaNVpupWwiD9zWnPa5
                                                                                                                                                                                                                                                                  MD5:6687C41093EC1E800065E8B9F519C85C
                                                                                                                                                                                                                                                                  SHA1:A1C75BF69C5229431DAB32AD6CAE238F5C23BC89
                                                                                                                                                                                                                                                                  SHA-256:727FCC0B9C7F2C8E442B79CB27DDFA0F77C988A3ABCAC1D8AC54B8B5D13FA2FD
                                                                                                                                                                                                                                                                  SHA-512:C85864BC5DC84D611A2F72AABAF46EB4711F824ECCA6303268C87DA702B3584D7B882C55A16824FDAD5D04F5AE91DD82461B52D1A4767B56362C18B746EB3932
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B^c..........."!..0..............)... ........@.. ...............................s....`.................................h)..S....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................l./%..d...w.Ah3C....O.*.~.[....I+.....e.....S6|....q......m.Uo.....X4...Lt...{f[^X|I..o.. K.].m-...~.D......V......1aVEJ.M.3,<BSJB............v4.0.30319......`.......#~..@.......#Strings....$.......#GUID...4.......#Blob......................3..................................................P.....P...3.=...p.....^.....a.......%.....%...w.%.....%.....%...w.%.....%.....%...G.%...I.P.................7.....

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16032
                                                                                                                                                                                                                                                                  Entropy (8bit):6.722888698554338
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:amQ/APRLWdRMxRA0RHWDSYA6VFHRN7ht1t6R9z7UK9:amQ/k00AupFClht1t29zgQ
                                                                                                                                                                                                                                                                  MD5:8122E1A69A6500E33056AE1556B83C1A
                                                                                                                                                                                                                                                                  SHA1:F10E765E55F79FE056B8E0B74C3DD1A04351CFCF
                                                                                                                                                                                                                                                                  SHA-256:71B712F484C595CEE326A040C8868D11EBB8A28F8E10F58579E76C6B056ED6E7
                                                                                                                                                                                                                                                                  SHA-512:B1568DC386ACD6C1CB8C5867CADDEE680C228F04A09EFD7616C712F5B2D00EA837F90BDEA28E326750BF6AC5BA639181FCAB73AFF9C2EF73986B9A30D404FBB7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w............."!..0..............+... ........@.. ....................................`..................................*..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P .......................................7.)n..a.&.3..... ..]tM.%:.....:%.[....F.5-.....M...L[...F.k=........FZQ.e...Xx~........*.k...LPw......T\.o.{9...+=1AB.BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................).........3.K.....K...L.....k.....w.......B.....,.....,.....^...2.^.....^...l.^.....^.....^.....^...S.^...`.^.....K...........

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):826128
                                                                                                                                                                                                                                                                  Entropy (8bit):6.112403183100119
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:CJhYe83Gfyv7vrkasX8LZ6dA9NWYIAHhlyR8ZXTw05nmZfRK1o:IYXv7vr5dx9IAniAmZfREo
                                                                                                                                                                                                                                                                  MD5:83183EED671A225CACCC6335313D2179
                                                                                                                                                                                                                                                                  SHA1:9A11A9790E64443DE2C26EB52DFC6BD6C74F1558
                                                                                                                                                                                                                                                                  SHA-256:A0BF4ADBFFCDA63F954F8F5564EC53946AFCEEAA69506F17AE5DB214472C5500
                                                                                                                                                                                                                                                                  SHA-512:B2871B9DA5D2EF390EF9297D6052EA809EFE4EDEEFAAF53221B029C93C064FFB2E3499F2A8A827A8B0A0C40A441627AA4B7485C72B082F5BBAF13F5BC9E4F193
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*.ORn.!.n.!.n.!.g...b.!... .m.!.n. ./.!.<.$.q.!.<.%.d.!.<.".f.!...).@.!...!.o.!.....o.!...#.o.!.Richn.!.........PE..d......f.........." ......................................................................`A.........................................V..<...<Y..x.......h....p.......r...)...........&..p...........................0'..8............................................text............................... ..`.rdata..._.......`..................@..@.data...,....`.......H..............@....pdata.......p.......L..............@..@_RDATA...............j..............@..@.rsrc...h............l..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):39688
                                                                                                                                                                                                                                                                  Entropy (8bit):6.509096272626782
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:0WPIIWzAp7Xgjg1al2Yd5zDN2g47XCIYUvsWIXpuJFH9CEUoGdqtHfSBGU0ypu+H:+OwDf4gMCUUjgsEUtcGpXvFClVRxw9zf
                                                                                                                                                                                                                                                                  MD5:B9C3C7F050ADF5D8AB365AB6D3587286
                                                                                                                                                                                                                                                                  SHA1:0FF43EDC2E21828E491CD662B379A7F69FD5C016
                                                                                                                                                                                                                                                                  SHA-256:25EACA54AA1CDF58C6EDF379C6F61674C968DB982E56CBF5072576E058B679A3
                                                                                                                                                                                                                                                                  SHA-512:54780E0040B03CB1783F8FB8177AB57F3C1E70D1279B3B4C40E9E84F291309F7DDDFF2893F11652DEBAA68FA7CE5EFFBCAB6A43198A967408D777D5E809F39C8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...O............" .....d..........................................................2.....`...@......@............... ..................................P.......4....r...)..............T...........................................................P...H............text....b.......d.................. ..`.data...e............f..............@....reloc...............p..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):267056
                                                                                                                                                                                                                                                                  Entropy (8bit):6.676156102505666
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:pPlVaqxaMRqarRTaoJLaT2uPhMSt3JiTHqE0F8LVq/GMjya953xieUbwn+3cCEqC:j0eD8xwgiTzVqXtpIMV/cOVjKGb
                                                                                                                                                                                                                                                                  MD5:649DBDC92B5DBD1607A1F6B650BEC02C
                                                                                                                                                                                                                                                                  SHA1:F41CEF14036CE1B578720F43F646D24B09E74DA5
                                                                                                                                                                                                                                                                  SHA-256:732AADE5AC1542E66ACA020BDC2C8BFDBCEC21168F7B347F88A844315713AA8F
                                                                                                                                                                                                                                                                  SHA-512:2C8D70EF32E5840276A1EBE3215FB6FDFDFEFDDEBF392970578F1C9B2AE33B100980BBDA639A51769CAA07A3046E22DF1D6CD9DFE6A0E10F83F0A0941CAD740D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...).1..........." .........@......................................................&.....`...@......@............... .................................. ....j..T.......0)......@... '..T........................................................... ...H............text...1........................... ..`.data....8.......:..................@....reloc..@...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):93960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.568373020345826
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:QaWBXrBsyesUkP3IYoXxs6+gvXYqFBigvfL4iuz0:QdBXr2yrIjo4CCT4BQ
                                                                                                                                                                                                                                                                  MD5:6F62AB0BC69B1115DB7EA79AC22B249F
                                                                                                                                                                                                                                                                  SHA1:DF95F07D55F58EBE9323F7F3CB4C53B4A4E16D28
                                                                                                                                                                                                                                                                  SHA-256:388D827290273301ECE6A797E2021238675BBDB424C520F4CF922C5420F4B9B7
                                                                                                                                                                                                                                                                  SHA-512:9AC0230B59FE22C30B381A294CC3C4B8FB43FB17268C810172CE2B35337467F4A0501C7DAE3C140FA37465ABCAD2D830C6D63F1A278ABBFAF2ADAB315F024E5C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....`..........." .....(...................................................p.......>....`...@......@............... ..................................t...T/.......F...)...`......H...T...........................................................x...H............text...w&.......(.................. ..`.data........@.......*..............@....reloc.......`.......B..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):42784
                                                                                                                                                                                                                                                                  Entropy (8bit):6.444572054452613
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:9WUWyWquDVCHWl2Yd5zwNirXKT2JoYuchKG46JdicX+zu6CVy1/8K4Y5eHs+dLiq:ovf/mv36JwcXKLkK4YoSL1W9U9zG
                                                                                                                                                                                                                                                                  MD5:467F13402BC600AE9872E7A82D891D1A
                                                                                                                                                                                                                                                                  SHA1:837E11B9B7C67B617538958267849DBC3B080EF1
                                                                                                                                                                                                                                                                  SHA-256:B26AEB1B48380512658550F2BE2C196C46F067FA5014E5C0693A289243364D4D
                                                                                                                                                                                                                                                                  SHA-512:2440286517E87F5D93446271C5B10AD53C1E7EC21E5C59B067392A6935E5CDA73F5750398859BCBB204511025C4D5633E3BA9220FFFDA31D2EB0683217508126
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...}=............" .....p..........................................................I.....`...@......@............... ..................................\............~.. )..............T...........................................................`...H............text....n.......p.................. ..`.data...s............r..............@....reloc...............|..............@..B............................................0.......................L.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........d.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...@.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15632
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8279746301481845
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:QdhYqx9jW/uqWjpWjA6Kr4PFHnhWgN7agWirdIhHssDX01k9z3AGWym+:QdJ9jW/uqWjYA6VFHRN7FriFDR9z7Wa
                                                                                                                                                                                                                                                                  MD5:6334DFF8984928C204C051F8BB212F73
                                                                                                                                                                                                                                                                  SHA1:2C64DDA4206516603475EC7AD9539312F8019666
                                                                                                                                                                                                                                                                  SHA-256:EEA42A0A145C32604C595A6A0A1AA1221AF7C5FF78F4F68C5A274A6239A1A834
                                                                                                                                                                                                                                                                  SHA-512:443A2AEAAE4E5F74DA8B41F1C6EF8E6C653E07B1238516650DB835298850D44DB87EB55C8A71A8EB90CEDDEA3C2B81A6F3655FF4C1FDAE7B72FE6C9CF48B61F9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!C............"!..0..............)... ........@.. ....................................`.................................`)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................E....(r...;.=:|..~P...m.'...tAI.y.#.;......k.....l..........T.G.R.!.a.....#.-...D.2.:X.5.ku.|.[.9W.......v.(L..6.....j;..\BSJB............v4.0.30319......`.......#~..L.......#Strings............#GUID...,.......#Blob......................3................................................!.J.....J..._.7...j.......................E...........Z.......................A.....s.....u.J.................1.....

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):83720
                                                                                                                                                                                                                                                                  Entropy (8bit):6.496857838837457
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:o8cy0w9JvivZVauxGHUopdNeU+Mf36HZMV8cidIzN:om9JviyuxGHUopdNeuf36HKqcV5
                                                                                                                                                                                                                                                                  MD5:3B2A12A984CE0BF13D5456E2A1A8B7E1
                                                                                                                                                                                                                                                                  SHA1:9AFF09FBE28F6229A568EFE481649427B9E940EF
                                                                                                                                                                                                                                                                  SHA-256:E93461BD9BB50625F8EDB92B80747C73BBCE2012058E8ED18CB80ED5BE0C8C4E
                                                                                                                                                                                                                                                                  SHA-512:94331602911AB39A5EC816562F5D29B7982B180FA7A88C752C4E58B5E95281F94B97BF95E33CA6643977EB4F4D88F4BC153E1FBA10FB460803636EE93D134B04
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....H..........." .........................................................P............`...@......@............... ..................................8....,...........)...@..........T...........................................................8...H............text............................... ..`.data...}.... ......................@....reloc.......@......................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):69392
                                                                                                                                                                                                                                                                  Entropy (8bit):6.416282203605119
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:6q4zbv1VnpSetYSxycVFidKg0WWcnic23zc:6jv1SetYMXVMdKg0WWm634
                                                                                                                                                                                                                                                                  MD5:A28A3AA833134E59F793389AFF65DA55
                                                                                                                                                                                                                                                                  SHA1:5ECE44F0ECC710BA0732633B7078A70867936964
                                                                                                                                                                                                                                                                  SHA-256:C9774E7FB725A7517BCC758832F2FC3046EECC5DC05656757BF3E6B555340289
                                                                                                                                                                                                                                                                  SHA-512:3DF973C8247E2E1277679F9C6F2FB8DF0B8536BCE073455E3AB858D2F5674E7A49E6D0C90953AAC09480859D72373CA750CB6A094AEC8656CB5D151D305C721D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...N............" ......................................................................`...@......@............... ..................................D...@%...........)..............T...........................................................H...H............text............................... ..`.data...h...........................@....reloc..............................@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16656
                                                                                                                                                                                                                                                                  Entropy (8bit):6.796773675745742
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:qhedWmW+lPWp2YA6VFHRN7IP2IR9zo+CK:qhGl/FClfU9zwK
                                                                                                                                                                                                                                                                  MD5:6CA91D68B229B7FB22BAF4CD90E3B6DF
                                                                                                                                                                                                                                                                  SHA1:5992816675CDF4A308AE3ED4B067333E2A6136DD
                                                                                                                                                                                                                                                                  SHA-256:457210C9BEE0BC23BB939A0C066648A1BF644EFC2E688CD5B9A34A0887E8B9D7
                                                                                                                                                                                                                                                                  SHA-512:BC229BE933AA3AC268A1DB6F3D72BBBFEE17132D9E219A811D191FF119F127E3640B26CF00913716CE431BE17314D2F5300A4FB55C9709E7A91DDF4B6C6838A3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H............."!..0..............-... ........@.. ...............................d....`.................................4-..W....@..T................)...`......p,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B................p-......H........"..............P ......h"...........................................<linker>.. <assembly fullname="System.IO.Pipes.AccessControl" feature="System.Resources.UseSystemResourceKeys" featurevalue="true">.. System.Resources.UseSystemResourceKeys removes resource strings and instead uses the resource key as the exception message -->.. <resource name="FxResources.System.IO.Pipes.AccessControl.SR.resources" action="remove" />.. <type fullname="System.SR">..

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):136456
                                                                                                                                                                                                                                                                  Entropy (8bit):6.505276293770358
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:Tesr1AT4UdLwfR0CogtN6gQTveCMi0eZemClyk87hv/d4:dAk0EtMgCWS0tev/W
                                                                                                                                                                                                                                                                  MD5:9B7CB60F3687BB167C364027C69BE75F
                                                                                                                                                                                                                                                                  SHA1:F7D769F90F6FD22C121068CEC9AEC982CDB8511E
                                                                                                                                                                                                                                                                  SHA-256:ED9A1BFEC6B09CDDE2BB9FD7360C317A8FA536A39A211C649BC09324F6230455
                                                                                                                                                                                                                                                                  SHA-512:8428475F090AC092B2F97A824FA37AC21CE033C879CA082C93C3A127AE9086851997691CBFA85C232E96401D7347C2C075078A1A61DDEEF02D9A6AC095BFC776
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........(............................................... ......@H....`...@......@............... ......................................H;...........)..............T...............................................................H............text............................... ..`.data....".......$..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15632
                                                                                                                                                                                                                                                                  Entropy (8bit):6.835129073107362
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:pRHaXwxxx0SsWj6+WCpWjA6Kr4PFHnhWgN7agWtu8RwX01k9z3AeJR42Z1Of:4wb+ZWj6+WCYA6VFHRN7n9R9zrJRLZ1u
                                                                                                                                                                                                                                                                  MD5:255A63BB93AC8BEE021387B56A829104
                                                                                                                                                                                                                                                                  SHA1:B2BA88675BE4E005FB696ADEF5E99ADF2DEFAF47
                                                                                                                                                                                                                                                                  SHA-256:AAC0BCE431DE0D833394371359AE5BDD94B369C77733AA078B2EFAACDFCCCB2F
                                                                                                                                                                                                                                                                  SHA-512:3BB01D1F576C03895B0AA235624EC5B868EAF91621F997018A8F6EFBF469FD930AB548B4F1450D2B4AA543388BA4B9645284CBD2BEF0F39370341E911E1919A3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\..........."!..0..............)... ........@.. ....................................`..................................)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................Q..].i...........k;.!..)zw.V....0/(J......$L.....1i.A.+..D5.....G.|.&.c.va7.c..6L..!R......N..3...........RO........D....#BSJB............v4.0.30319......`.......#~..<.......#Strings....,.......#GUID...<.......#Blob......................3................................................,...........E...........p.......W.................^...+.^.....^...e.^.....^.....^.....^...L.^...Y.^.................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.684716827535747
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:5bn83gY2W25bWXYA6VFHRN7Mm2R9zza+Qjb:1ndlcFClDK9zM/
                                                                                                                                                                                                                                                                  MD5:CCA0BFF7447B36C3585BD58E7331553C
                                                                                                                                                                                                                                                                  SHA1:60F98F8F0E64CC99C3870ACDF6853305E95DB2D7
                                                                                                                                                                                                                                                                  SHA-256:B772B9323E9E0C1B1E30FADC067A972132A434DA35B7FBF94F83E3DFD7D18F5C
                                                                                                                                                                                                                                                                  SHA-512:640926BB6951D915F40372A4FA8F200304EA040ED6D066D9EBFF06C104AFEF52091CEA415574A20168B0F90EBB8C60E491E11DA311ACCCA4DCC16DF3F426B20A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j............"!..0.............~*... ........@.. ..............................7-....`.................................0*..K....@..(................)...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ......................................P....].&`..9.wl....R....k.SI}iK.N. ..h...1F......4.Y....eI9.......i.;.L.hN...a.G....w6..0....Q.#...8. {.%....2Eh>8i]...aBSJB............v4.0.30319......`.......#~......8...#Strings....,.......#GUID...<.......#Blob......................3............................................................=.....).....h.....k...........#...........8.............................Q.....S.........................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3857168
                                                                                                                                                                                                                                                                  Entropy (8bit):6.688507729288586
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:NcJRCkV0qWhSxCKB+GuuYKfM21hDPX7dRVLTeeYjGt553P77zbr7jrgrr+69NHX6:GJRCBhSzBpzfl1mja52rr+ANHXUZ
                                                                                                                                                                                                                                                                  MD5:41FA254B55E24CEBCACF5076FC3029A5
                                                                                                                                                                                                                                                                  SHA1:772DF03395D545DCAD32AF8F842FBB5BC1D208F8
                                                                                                                                                                                                                                                                  SHA-256:5FF8E5B5DE3AA34EC78E7242B4A79031C8193708DF7D558BAB940BC7AB9BF44F
                                                                                                                                                                                                                                                                  SHA-512:0DA185EE166679EE8F984D6319EB775C23E047FC064D42FB753B756464F95E336FFEF2537DEA09AEF2350F48C16CE1699A038C6E6EB4520A4492CF6A7E537B20
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....k..........." .....F4..j................................................:.......;...`...@......@............... .......................................(........:..)...p:..b...w..T...............................................................H............text...(E4......F4................. ..`.data........`4......H4.............@....reloc...b...p:..d...N:.............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...E.x.p.r.e.s.s.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):228616
                                                                                                                                                                                                                                                                  Entropy (8bit):6.512443359566012
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:RZIyoRf1vQ4cHZEAAJLX02JiReD2bY7i+I/4n148cJE87MZzZiqGM+3aTol2iYIv:Rfo91vQbHZtuz02gb8dn5cgZ9GXVICv
                                                                                                                                                                                                                                                                  MD5:0FD8A529D17BDEC60A3D941E5BEAC4FC
                                                                                                                                                                                                                                                                  SHA1:08FEAFAE32E7CCB861F34034599B53C368E6DA5C
                                                                                                                                                                                                                                                                  SHA-256:7B1E83169F3865DB64C05C4CCC1C913E868E8B675B78B734923BDDE7E15ACE50
                                                                                                                                                                                                                                                                  SHA-512:8181FBB05721ECB49B97787A935E23F21770DCB8A7AA3C1FA554D8A096BD5F2F7A7D92BAB2443E5148173E832EDAD9B6D3006292BEFB2D3C69C7D7B5912B749E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;.b..........." .........z...............................................p............`...@......@............... .......................................4.......T...)...`......h...T...............................................................H............text............................... ..`.data....n.......p..................@....reloc.......`.......J..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...Q.u.e.r.y.a.b.l.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):537896
                                                                                                                                                                                                                                                                  Entropy (8bit):6.825953112999709
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:vLvJrD97IezrSLW5iIEobS5lEPsypTcenKskBvYvvyejaQO02KuAlz8J1J4+PDx8:TBrZ7IJ65iIET5mYIKsk8HQ8UASxW02
                                                                                                                                                                                                                                                                  MD5:DD7DD41A5EF369048A21784A73993E86
                                                                                                                                                                                                                                                                  SHA1:27A030563148509EBDC9E983E18885E621CDC26D
                                                                                                                                                                                                                                                                  SHA-256:F77B6D40B0B23614975F9124E337D7839194E2108D1C047D8DAE3F3F04ECD429
                                                                                                                                                                                                                                                                  SHA-512:C3823135C67A8492B507DCBE712D92821F5E896931C3B8C797FA9040E7D525842CABC0F196C0C5527F08D266A01EE3066B2F1E4930DC9EF833E6D85978736FFC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....p............" .....`................................................... ............`...@......@............... ..................................4...$...8F......()..............T...........................................................8...H............text...._.......`.................. ..`.data.......p.......b..............@....reloc..............................@..B............................................0.......................$.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........<.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...0.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...@.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...L.i.n.q...>.....F.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):173832
                                                                                                                                                                                                                                                                  Entropy (8bit):6.801666674835895
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:ft95NfdOt6imRtccnfS7h+y6fM/XkFPh/h/tmlTYrADS12UogJv8Xx:bdOtbXcn67h9oPh/hwOUD0v8h
                                                                                                                                                                                                                                                                  MD5:07F04C8E412E1BB8FF3D064D95C8AB4B
                                                                                                                                                                                                                                                                  SHA1:ABAE696A98F55D279925D82E9AB0246EDD8D6B1F
                                                                                                                                                                                                                                                                  SHA-256:F999676C4E7AB2CDC76C75CBED43B7D323BCDAF75669D6676DA398E013CDC013
                                                                                                                                                                                                                                                                  SHA-512:E519C50F8781E2C4A61C41356F79C735885493DC7B8A457BD3DAC19B51305A71A33E8D158F1887F60DF62517ADC852666CBF92FE2C2AC04B6AFFA02413A7534D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7............" .....P...,......................................................?.....`...@......@............... ..................................D...d<.......~...)..............T...........................................................H...H............text...(N.......P.................. ..`.data....'...`...(...R..............@....reloc...............z..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0...4.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...M.e.m.o.r.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...D.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...M.e.m.o.r.y...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1807120
                                                                                                                                                                                                                                                                  Entropy (8bit):6.72377514511698
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:K+gRWsMsT/8SuPB0eDHxY6AnUIV2Et7+JSy6HJXwpkUrBc:K+gRHM6uPaeDHxY66UIV2PRaJ6a
                                                                                                                                                                                                                                                                  MD5:DE6AAE454E722E3F6338983C3E292B9C
                                                                                                                                                                                                                                                                  SHA1:4300C95F41916EFA603314963CA0E70FDB8F7E47
                                                                                                                                                                                                                                                                  SHA-256:6537558C53FC3F52C714D0B42CE52010D91C66BA040AEE1B57B58D1361AD075E
                                                                                                                                                                                                                                                                  SHA-512:BEF4AE8B7D5CB732DE8DDB473E04E9B96597075EB2B20A2D812732450CFEA6313C271018CDE87F0DC47BEEAC7ED7B75D8915FDBEBA09A272D2C4C95D04F71F4D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...*B............" .....^...............................................................`...@......@............... ......................................dt.......j...)...`..(....u..T...............................................................H............text....].......^.................. ..`.data........p.......`..............@....reloc..(....`.......L..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):639152
                                                                                                                                                                                                                                                                  Entropy (8bit):6.675826804479448
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:SAaST6MSRsRshV3P1ZE7Ap0FTRNN3RdR9R5ijQz9Dl6Tm:SAgF02J8TrWkz36q
                                                                                                                                                                                                                                                                  MD5:42F40FB38738D1F24D4DFCAA2491A274
                                                                                                                                                                                                                                                                  SHA1:0009AE9396D79E06D03323D8EAD5A6240B34ECF7
                                                                                                                                                                                                                                                                  SHA-256:9AD8BAE6EDEFBF35B8BBCE5DFCB5B058AA3B9A23F6836CDFE60601FD693EEB43
                                                                                                                                                                                                                                                                  SHA-512:B0C367588287226B148F5F3E2498423AB56B06EAEC327CCE52CDDAF05B4988EA5F5DA839F7BC5B8864724A875780FB42A51347AE260305E4A2EA87245095275C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!............" ................................................................1.....`...@......@............... ..................................,.......p;.......(...........3..T...........................................................0...H............text............................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........4.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):552248
                                                                                                                                                                                                                                                                  Entropy (8bit):6.681552978241307
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:04YNveL6eFP1XxuNT5L2B2APiOLlbH5GAgZFd3qU:sa6A9XQ5FbP
                                                                                                                                                                                                                                                                  MD5:312C76ADC34A80AD00C01E036FE99893
                                                                                                                                                                                                                                                                  SHA1:A0E437A0CCAD78699EBC165E068182741C50C247
                                                                                                                                                                                                                                                                  SHA-256:558D751335D9ED63C6220F8B52DF1D5BE7138B844DD55A0ADBE0515EF3EEA9B1
                                                                                                                                                                                                                                                                  SHA-512:017BAEC878110FDDD6CD39AAD9E2DD7F7FB7ED274D85C82F81D8CDB2CE1B942A24E0DCFEAD50E2F27F6ECBCA8122CC7200201E8C105DC5E02F9BBE547FC14333
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f............" .........................................................`......l.....`...@......@............... ......................................x....@...D..8)...P..T....2..T...............................................................H............text...P........................... ..`.data...*z.......|..................@....reloc..T....P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NameResolution.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):101136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.58531291273166
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:Nc8vDWisUZDWj5CkxyB0flOpiJvXVIb1C:rvtpz4JFIs
                                                                                                                                                                                                                                                                  MD5:1EA4AFF32FC894ADFAB80ACBA0911FFE
                                                                                                                                                                                                                                                                  SHA1:F7E6D194EB406373E7C51361C732CF14130DC0A9
                                                                                                                                                                                                                                                                  SHA-256:6A4014CCD490E0BAD0A2521F5C0541037E945F8D06067777D90EC0AB1116579C
                                                                                                                                                                                                                                                                  SHA-512:B19735B5117625559BE7E9B720850B19052FE5F0910C5C311E1302C41A1D820D207B290671D23DF86F045FB693A8019EFA6752682DCA61DEC447C200C459E937
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....m)..........." .....8...(............................................................`...@......@............... ..................................8...X2..(....b...)..........X...T...........................................................8...H............text....7.......8.................. ..`.data....#...P...$...:..............@....reloc...............^..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):150792
                                                                                                                                                                                                                                                                  Entropy (8bit):6.573942436665297
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:dwGzr+JIgd5GfZOB7jG9LysLUYxPZLVXQ2Vf8ync7D+1TSapyLX:pr4Ia5GG7SLUY5fnp1+Db
                                                                                                                                                                                                                                                                  MD5:03F87B913BFE0EC24269251A9A6D0853
                                                                                                                                                                                                                                                                  SHA1:D2556A98ABC04D0DB2143B4AEB6BC80D97C51A83
                                                                                                                                                                                                                                                                  SHA-256:855A2B2D8AE418B3144D6A110DB09410A617D63A47B190EF51D66E018B5E68D5
                                                                                                                                                                                                                                                                  SHA-512:CAF1DA84B24C4EE8457248C60BCBB65247F3EBB31C789F270EB630B5D9305622724E6BC13411AA254F91471EA97DEFBE56A77E21E27B3F482923D35EBFB0F9C4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....%............" .........0...............................................P......7.....`...@......@............... ..................................P...p;.......$...)...@..h...0...T...........................................................P...H............text............................... ..`.data...L*.......,..................@....reloc..h....@....... ..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):79136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.588702845265931
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:yS1PRHHY1TVcdoU0ZMg4m5IL2SvKBpKY37PWWDczF:yg5HHYVdd48ILepK86/B
                                                                                                                                                                                                                                                                  MD5:9BAAB57800A8916FC5F8A34ABD4369A5
                                                                                                                                                                                                                                                                  SHA1:9C9B2A43F51929E676DF7946BB67C3F6DC9AA541
                                                                                                                                                                                                                                                                  SHA-256:6AEB6CE1FE5C3A96845DD577F40D556CC3B88E23518396B14004EBCAA99455AB
                                                                                                                                                                                                                                                                  SHA-512:0FEF94A0C557740E0B538F103039A5A3E8007A6C150C88BAAA1552A5D77F1D68F61A876489F496139F001C1897DCC6A5677DA2BF55B2EF3BB42CE644497C2840
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q............" .........................................................0............`...@......@............... .......................................,..D....... )... ......@...T...............................................................H............text............................... ..`.data...............................@....reloc....... ......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):214288
                                                                                                                                                                                                                                                                  Entropy (8bit):6.692866532143802
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:vtjvFk4HiSLahyjGNbykDXO3bf5G+bHX7T1sWkN6OcE/64BWm1/2us/6M6eURoi5:FbFk4C5y4zOz53h+5fwR6eSo9kD
                                                                                                                                                                                                                                                                  MD5:D45721810B97663F99E10123DDFFEA4C
                                                                                                                                                                                                                                                                  SHA1:400FA1A9C317DCDAF5A6229B713B3803BB6879A9
                                                                                                                                                                                                                                                                  SHA-256:1AA669D54F4BBA84C1833E4C6C7FCD6C5057412618604F48844BB79B9FE0AC72
                                                                                                                                                                                                                                                                  SHA-512:3932DDE0AB8EFF7A0A1DAACA9A6C0F29A17A6F55039F640AEBBEE61CBA07567FE756F5F6A6A787ADFBCBB268A73861F5FE51C177380C3B783D380883DD2F16E9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....>............" .........:...............................................@............`...@......@............... .................................. ...\V..<........)...0.. ....!..T........................................................... ...H............text............................... ..`.data....3.......4..................@....reloc.. ....0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):293640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.636078633076518
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:mvExTiARl6gq1zPt3CxPpuLdDmRw6WSL/l6eohgni:lR/j6XzBCxPpuLRm1l6Xmni
                                                                                                                                                                                                                                                                  MD5:FD789783FCE2564634EA2D47D4CF14CB
                                                                                                                                                                                                                                                                  SHA1:4C4C721EEB969A869625F64150759EA236DA1E7D
                                                                                                                                                                                                                                                                  SHA-256:7E5A21124CD63F428A24B78290569628F16C7C0D58BD4323CE358B235031AC98
                                                                                                                                                                                                                                                                  SHA-512:B0C4F2072E239312ACBFA868E5A69957CBAF058A189DB1DC4B2DD2265396C69C6A5813B8A8FF1D18F7950A93D3AAD08B51AE58805E1E14891EE8BA873D528886
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........n.......................................................*....`...@......@............... ......................................xw..|....R...)...p......H&..T...............................................................H............text............................... ..`.data...Re.......f..................@....reloc.......p.......J..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):349456
                                                                                                                                                                                                                                                                  Entropy (8bit):6.619249857259698
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:ymhqNLrajj/iS/9z3E8djsPOkdMA4f5G/eopZFBq1Y:y8YPafiUWXAr1Y
                                                                                                                                                                                                                                                                  MD5:646F04A2738C65F25D1934E497ACFBA7
                                                                                                                                                                                                                                                                  SHA1:19850A695DC06568C4B4766A2BDF4D0383A6A273
                                                                                                                                                                                                                                                                  SHA-256:68BD9418A0B1ECBFD4202F145D00C0D23BB40F1936964A2B7EEB979053B234FA
                                                                                                                                                                                                                                                                  SHA-512:88664A6FE955AC149EF6C4E5DAE49D414BE01B7FDCC7BD3BF578B84BC84D63BCC6EB12BC53495C255E19A3977877C04DACFB2D5D078AAA4B2B0E9F0474383CC1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........p...............................................P......,.....`...@......@............... ..........................................*...,...)...@.......+..T...............................................................H............text.../........................... ..`.data....g.......h..................@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):506632
                                                                                                                                                                                                                                                                  Entropy (8bit):6.739877963601641
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:iY72vFk13eFkZMdvJEKzDiL1vu21pcIzL9wKopz+t+dR5jJ3B+P:iY72G13ZMliwiwOoZ+t+dRz34P
                                                                                                                                                                                                                                                                  MD5:B1C89B1E9A5D537A32BFC42710B590C6
                                                                                                                                                                                                                                                                  SHA1:0D0AEC1748EC4B8B50C23E82F6453908AE4F4F66
                                                                                                                                                                                                                                                                  SHA-256:E15AFD60ED6A5801F153648A77F36D15B7F9EDD1934CD342AAA3312D23E57FC1
                                                                                                                                                                                                                                                                  SHA-512:35E24F64F3D0A8FD171736C2503DC45931A9169C30BDFA450A741B0DD3E8E264B82508937CB52AFF31FFCCFE86DA4BB8FBFE38148748B3ED76F39B611D777F37
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...b2............" .........~............................................................`...@......@............... ...........................................6.......)..........p4..T...............................................................H............text............................... ..`.data....s...0...t..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):166696
                                                                                                                                                                                                                                                                  Entropy (8bit):6.64714001372041
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:5xwi2eI9dTW/NFVMqRcz7qu0OxDVY3qwJhlij3PMluseo1rzSH:rwi2eORW/3/RczOu0ghsegzS
                                                                                                                                                                                                                                                                  MD5:E66E573B815651533098204FE8F6A4B3
                                                                                                                                                                                                                                                                  SHA1:8A781D7E5C60F432BFB81FE4CBDCF1387E1B5711
                                                                                                                                                                                                                                                                  SHA-256:2AF045741EF32D6C92E345D75281B39EA818958C01ECB47834E43540901EBC83
                                                                                                                                                                                                                                                                  SHA-512:32247AAF0B7E71B365DD752A51C296C2EC3CB880A02106E4774616638E5ADEF16EEF163CB797076E9F891F612C4E38FD8039A3194C4533A07374DCF6B1477054
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...p............." ....."...>......................................................P.....`...@......@............... .......................................L..p....b..()......x...H...T...............................................................H............text.... .......".................. ..`.data....6...@...8...$..............@....reloc..x............\..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...B.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...R.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60696
                                                                                                                                                                                                                                                                  Entropy (8bit):6.535904077319764
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:HBfRKv+6SDbVXWTlEG3VulTTTTTTTTTTTTTTTTTTTTTTTTT0NW8zOCb:HrKKpXqln3VRNrJb
                                                                                                                                                                                                                                                                  MD5:1A2192CD55AC26651019BD5716EDF274
                                                                                                                                                                                                                                                                  SHA1:9DDFCAAB954D4E86CFC9DA88E666AB57A19A0561
                                                                                                                                                                                                                                                                  SHA-256:2888BFDD67C2A71968E5945814471BFFC0A3BDE85980DF855CE3D60FE93C76E2
                                                                                                                                                                                                                                                                  SHA-512:2E4ABC3F4FF57418B2C0DDDEFDFCFBC48AE6B4ED5AD6C28C4917C04DC447A52B3356FE5F478283930FCE7079D08742946844F7537EC5D9E90C7163CA99174922
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ......................................................................`...@......@............... ......................................x"...........)..............T...............................................................H............text.............................. ..`.data...9...........................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.H.e.a.d.e.r.C.o.l.l.e.c.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32056
                                                                                                                                                                                                                                                                  Entropy (8bit):6.557487177148606
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:y3WpQwWm/k/viYHcZg2VUi6VGt1QWKlL/95/1oqOMlGFESX6HRN7PSpGR9z35v:yNyk/vL72Vd1HgTls3WPSY9zJv
                                                                                                                                                                                                                                                                  MD5:6EB91FC196B1CC9F19B2CD8FC3E8434A
                                                                                                                                                                                                                                                                  SHA1:AF03A2772C81E7CA43DE3297979F110BAAA6CFDF
                                                                                                                                                                                                                                                                  SHA-256:8F91556DE372D206D3622027C4512398B58EC8859C376A7D144926E0E85E51DA
                                                                                                                                                                                                                                                                  SHA-512:2AA33D88632309BC64932A1E330072CDCD0D8C9952B7B9CB25F367EDF7AA11BD005C2299AF0E1D4E3005D75CDD2620688322F14ADD8B03A1B3A01FC454E8ED71
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....H................................................................`...@......@............... ..................................t............T..8)...p..........T...........................................................x...H............text..._F.......H.................. ..`.data...i....`.......J..............@....reloc.......p.......R..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...@.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...P.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...N.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):76568
                                                                                                                                                                                                                                                                  Entropy (8bit):6.4853478188512375
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:67OYMIHH9XOUiSd13OETTzlw49YLOXC3zlc5rbIRWpqIWHVz9:8ln5zX33DTTzlp9YLNDlc5rMZIq5
                                                                                                                                                                                                                                                                  MD5:4F6B324C53BBB877F0F42A6EAB84179B
                                                                                                                                                                                                                                                                  SHA1:3E57D33C2292533D31CE0D5254C2225ADFB1F1ED
                                                                                                                                                                                                                                                                  SHA-256:83968FC6BDF453ED228B7DA140C248ADE2F7A6084978DB67205A97636664F11D
                                                                                                                                                                                                                                                                  SHA-512:284DE4790BADFB59A9CD378A4789219CBC4CBEAB299F8F126B167EDB77F9204CBFEC9EC4309743E414D6931B7FFC73D530C2253C609A68679115EEA3C9894BBC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!............." .........................................................0.......U....`...@......@............... ......................................8(...........)... ..........T...............................................................H............text...1........................... ..`.data...............................@....reloc....... ......................@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...R.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.S.o.c.k.e.t.s...C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...b.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):182064
                                                                                                                                                                                                                                                                  Entropy (8bit):6.640593125749875
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:crJ1yGe/CWqtx3IRJK9Gkszawp+z1Mq87repROMKKnXWRDYZbQLmvh6st/9o1BV/:+yGtt+Rh887rijXXWrmvh3tu1O/ZRhmV
                                                                                                                                                                                                                                                                  MD5:C7159CD5889AACF32C60F1209B45B306
                                                                                                                                                                                                                                                                  SHA1:B21C82BC847D02C854BBF06B5F7DC6570EE95323
                                                                                                                                                                                                                                                                  SHA-256:30698ED152943072144CFFA5530C4D1F7A39C2AC0B9D4D982CA39CD9011FDF70
                                                                                                                                                                                                                                                                  SHA-512:3261D5EBB7D2240E9D901A4FF42E89F05A336BB4DF9AFC5063B79DEDEC705C7357DDADDB41B1C61FE9D91784C03163E10025CB63AF3EE0A38776A50AE9688F7E
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....p..........." .....d...8......................................................c/....`...@......@............... .................................. ....O..`.......0)..........H...T........................................................... ...H............text....b.......d.................. ..`.data....3.......4...f..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18184
                                                                                                                                                                                                                                                                  Entropy (8bit):6.581798101266097
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:pV6EWw138N8G2WowVaWTYA6VFHRN7u+TcTR9z6ZGa:pV6Er138x/FClBwV9z/a
                                                                                                                                                                                                                                                                  MD5:9E6ACD5E0685D1C4B169FFCC4A990B48
                                                                                                                                                                                                                                                                  SHA1:67DC8BF8B6A120C3CE8FE8BDFF88BD84CB11FE77
                                                                                                                                                                                                                                                                  SHA-256:A6BF9DB02AA10F6ED725DD5D7E72AEF926361DF982F135CF8D9EAAE4FAFE47AC
                                                                                                                                                                                                                                                                  SHA-512:62E8CB2DDB1CE54D327F9324BA49ECAFA650A98F83C494F2083A45850334976E7A3B375CAE46B3DE65A384D22E378A862C66506CE5947A4B3C9F9D91B0009D01
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$............" ..0..............2... ...@....... ...............................A....`.................................92..O....@..8................)...`......l1..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................m2......H.......P .......................0......................................BSJB............v4.0.30319......l...X...#~..........#Strings....D.......#US.H.......#GUID...X...D...#Blob............T.........3....................................6.................l...|.l.....Y...............M.......m.....m...c.m.....m.....m.....m...'.m.....m.....m...^.............n...5.l.................S.....S.....S...).S...1.S...9.S...A.S...I.S...Q.S...Y.S...a.S...i.S...q.S...y.S.....S. ...S.....S...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.708846111618444
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:1Brpigxx9pWabBWipWjA6Kr4PFHnhWgN7acWDDcADB6ZX01k9z3AtOnV:157jpWabBWiYA6VFHRN7+DcTR9z6iV
                                                                                                                                                                                                                                                                  MD5:30549E2D5F2895F31260F03550D1AB89
                                                                                                                                                                                                                                                                  SHA1:2A9A436A1423569F906CAE05BD068849CFFE2D5F
                                                                                                                                                                                                                                                                  SHA-256:D21E226271AB8F12D1020BD9C644E5E77E6189C4F11931457A1638FAE8E85F21
                                                                                                                                                                                                                                                                  SHA-512:1962C98B89742FE19B23E928AC5659FF590CF561EB59B47986868794811B58865A76DB54AA6B9F8C2B24B40122D36158DD064BB4C848C3DC29C56634201AF035
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'..........."!..0.............N*... ........@.. ..............................g.....`..................................)..W....@...................)...`......D)..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..t...................P .......................................T..c@..Go.3..j...Ey..R.C7..Y..Q...~+.\.AN.P...].j.+@.k.m.q[...k..;l...R.....]xh.}E..A.....,}....HnW.o...$g^..M...........%;BSJB............v4.0.30319......`...<...#~..........#Strings............#GUID...........#Blob......................3......................................D.........]...........v...................`...8.....0.......r...\.r.....r.....r.....r.....r.....r...}.r.....r...........6.....

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16144
                                                                                                                                                                                                                                                                  Entropy (8bit):6.700345163959257
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:cYawsYuvWevNWJpWjA6Kr4PFHnhWgN7agW3IgRxwVIX01k9z3AAljul+Yth:YHvvWevNWJYA6VFHRN76PR9z5lju5th
                                                                                                                                                                                                                                                                  MD5:251B3ADECBFC6975739805BAE9F63A05
                                                                                                                                                                                                                                                                  SHA1:5B04529783740F8BF1201ECA0DDE06D12C1C9A29
                                                                                                                                                                                                                                                                  SHA-256:1D46A019294A694C09B124AAD3FB55240A28035410FFF99AE028B08A8B0D42E0
                                                                                                                                                                                                                                                                  SHA-512:8FF80308BE71189708F8139565818D4510FB8917E8657842635F02BFAAB9F944D80A1683E86E0885FE876BF1309AB12CF4B1497FB7DEC5E169C142595AC97894
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@..........." ..0..............*... ...@....... ...................................`..................................*..O....@..X................)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................<)......................................BSJB............v4.0.30319......l...|...#~......@...#Strings....(.......#US.,.......#GUID...<.......#Blob............T.........3..........................................0.........]...............................D...?.e...K.e.....e.....e...".e.....e.....e...}.e.....e...V...........e.............-...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):91312
                                                                                                                                                                                                                                                                  Entropy (8bit):6.552363583416721
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:7YFJyHM3VtaIGdrG6mksFajOoPnCXrrgpenOpEINYcIwUAZ+K+t34h6FqgHzqWUE:7Yms3VsI+Dmkz8gMnOQcdDzsqSqWfz/
                                                                                                                                                                                                                                                                  MD5:298C81F3EBB890CC364CCFDCF34058C5
                                                                                                                                                                                                                                                                  SHA1:6934C79624BB3DA9D22954EE339049D43D9BB83A
                                                                                                                                                                                                                                                                  SHA-256:A3D82D91C5C016586867F63F6CB75DD2062BC65068F3F1BFFE87DB6EF3C5F743
                                                                                                                                                                                                                                                                  SHA-512:F6DF7D3274A50BAAAD7A3B748615BC111040A080AB966956143A2E1A6CFA69A6CB64D6DB192CB1FCFF147BBF5E2C8BB6AC94B2101E6B8136136D5B1D7002BBBD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....=..........." ..... ...................................................`......E&....`...@......@............... ..................................t....).......<...(...P..........T...........................................................x...H............text............ .................. ..`.data...H....0......."..............@....reloc.......P.......:..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...O.b.j.e.c.t.M.o.d.e.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...O.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2077448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.722460846508454
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:7r/zyRgRZfG3NMhSsdt1VTxpCBqlY5anISqsVZp3tODPPLD2DL0qF2:3/xZOqF2
                                                                                                                                                                                                                                                                  MD5:19BF6B8608C66AC95564DF67948A1F01
                                                                                                                                                                                                                                                                  SHA1:2E51080CCD8D044CB7F88E5186CD6A27234E7349
                                                                                                                                                                                                                                                                  SHA-256:3160457511B908D08EE652586B6288827D894765319E4D874271C6E35C569CCC
                                                                                                                                                                                                                                                                  SHA-512:F27689677446EEF7D559F94EF7E48C6C3E0629119516D91E9C2F11F80E7481D5AD749A59F75DDE09C03342B1E5FB2CAC3C933A32A05F678FA7977A0F65AE26BD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....t@..........." .................................................................. ...`...@......@............... ..................................L....`..8........)......,!......p...........................................................P...H............text...Q........................... ..`.data...s|.......~..................@....reloc..,!......."...h..............@..B............................................0.......................<.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^...........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........T.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...0.....0.0.0.0.0.4.b.0...j.)...C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...D.a.t.a.C.o.n.t.r.a.c.t.S.e.r.i.a.l.i.z.a.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...z.)...F.i.l.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):405264
                                                                                                                                                                                                                                                                  Entropy (8bit):6.714042900365998
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:KR+I69Gw4hphuS5BpIVGcHH8lKPmS6up6+:2+WNhpBynH8G16j+
                                                                                                                                                                                                                                                                  MD5:9D4484E7B3FEC9597EF9ED633AA3168F
                                                                                                                                                                                                                                                                  SHA1:21DD509808A6A0EECF13298E3FA541A391E452C2
                                                                                                                                                                                                                                                                  SHA-256:29DB6AF0D7E4400CD041FAC47546B20BDA2CE5EB730264C99FBC0986751085D8
                                                                                                                                                                                                                                                                  SHA-512:4CC385ED15E2038FCDCA55A57E83CEB787B80E1CEF18EDB2BB36E912563BDEBE7DF74B1AAEA6347B0823299FF967F3483D761387B330543AE0C2752A8B6051B1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........j...............................................0............`...@......@............... ......................................,....0.......)... .......+..T...............................................................H............text...*........................... ..`.data...O`.......b..................@....reloc....... ......................@..B............................................0...........................d.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^...........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...X.m.l...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8505608
                                                                                                                                                                                                                                                                  Entropy (8bit):6.821437608207014
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:Smwr9q/Lo4Ou8M1xwOSZ+0TaFqZlH1naEeVQjhV:h/XOu8MzwOSZRYQ5deWjX
                                                                                                                                                                                                                                                                  MD5:3A78E5F2522B643BE517D485D2FA9EC5
                                                                                                                                                                                                                                                                  SHA1:4542B8B41B97CDF08672114D38DA87FAE88775AC
                                                                                                                                                                                                                                                                  SHA-256:335867B5D2E3FF3FF3B0CFAC4D8B654300AF9E3BEC3E0A6A38441415335381EB
                                                                                                                                                                                                                                                                  SHA-512:84F92F4661D66AB1EE5EDA970204A5487E941CA0A83C105B701B818B653950E11E9753DFB3F840C055DED799D23F8928CC9501BB6DBD198B9216B1BA438B0C24
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......|..............................................................`...@......@............... ..................................<...D...8R.......)...`..X_......T...........................................................@...H............text.....|.......|................. ..`.data...8"...0|..$....|.............@....reloc..X_...`...`...@..............@..B............................................0.......................,.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^...........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........D.....S.t.r.i.n.g.F.i.l.e.I.n.f.o... .....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):66312
                                                                                                                                                                                                                                                                  Entropy (8bit):6.579630181472548
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:SsGqs6PbkymbnA0be+s8cu5BiEUxbluKm0i9pzWYf:SsxsUoymbAiy8BiEY9m0QpyYf
                                                                                                                                                                                                                                                                  MD5:7051A2BBADB9065085E4354A1F300936
                                                                                                                                                                                                                                                                  SHA1:EE7E3E2029DDD2E5044A9E74FD4659CA2D792AAC
                                                                                                                                                                                                                                                                  SHA-256:AC28D3517C24ECC00AF041D5B3C3D878AA816082F658AD826D6F6CD0C4D5E170
                                                                                                                                                                                                                                                                  SHA-512:1EEE4C0C03E5086A425D047E8EBEFC28EF4DF603BBCEE22A03C363383299ED6C001BF5E45FE8146058285E08E22B21926DB7CE78A7D735DF8EDDA89B9F9668EB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<.7..........." ......................................................................`...@......@............... .......................................%...........)......0.......T...............................................................H............text............................... ..`.data...............................@....reloc..0...........................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...D.i.s.p.a.t.c.h.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.731452166320643
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:KdmAPIh5WVsUWjYA6VFHRN7c7VXC4deR9zVjx0B:nAPCTdFClc7VXC4dC9zVj6
                                                                                                                                                                                                                                                                  MD5:23DCCA25D64F033EC933CBF083D19EA7
                                                                                                                                                                                                                                                                  SHA1:3FC9E0DD194587839DDD66ED84DC0F6424031794
                                                                                                                                                                                                                                                                  SHA-256:BD9BE884AF004544C47727D6C84256395F3968A97C9AF47484BAD919F103A9D4
                                                                                                                                                                                                                                                                  SHA-512:2C19609752E2E40F3FF48CF30E51B4ED58836FA4DADE6A250EA2F34579CBB9BE4F9B07A68C2D3CDB61537FC8C408946D3DB336E9D4BD7E4C404F75C1E5036596
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\............."!..0.............n*... ........@.. ....................................`..................................*..S....@...................)...`......P)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ........................................I(..PNp.....e{..$....v+..P;...:.!P#..4.e.y.P.8.d.t^.|.......}.m.....&.|.z.d.....!y.8.`L.M3..8F.C..c..*...|.K].....6.a.."BSJB............v4.0.30319......`.......#~..t...D...#Strings............#GUID...........#Blob......................3................................................"...........;...........f.......7.................b...!.b.....b...[.b.....b.....b.....b...B.b...O.b...v.............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16184
                                                                                                                                                                                                                                                                  Entropy (8bit):6.717541563928021
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:ydbjS8WxRVJW0+X6HRN7hUzDtdQ5R9zP2il:w0yWGFds9znl
                                                                                                                                                                                                                                                                  MD5:D67025C176E928D4A4D300DC552A8D6C
                                                                                                                                                                                                                                                                  SHA1:A363A379995B46190824D278836CF752CDCD1A10
                                                                                                                                                                                                                                                                  SHA-256:39217B38B36627DE4C09A116F3A26E3565C3150255ABDF492B7296B2822B6181
                                                                                                                                                                                                                                                                  SHA-512:396A77F1F5ACE23A81B59A292576FE7A6EA5C2842E768DE91D956595851323A75BBB0AA826395C0331528CE5374238A6D3BEF644264E33B71E33E42ECD821FA3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K\............"!..0..............)... ........@.. ...............................2....`..................................)..K....@..................8)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................ ..d..]...Y.D.\~...s_..j.Z...J@.Z.....<add....G....Y.b.x...}.\Y.w@..cF.U.S......>32..@S.\.....C.nO..=..n.3...8....6.O...XBSJB............v4.0.30319......`.......#~..H.......#Strings....P.......#GUID...`.......#Blob......................3................................................2...........K.m.........v.......@.................G...1.G.....G...k.G.....G.....G.....G...R.G..._.G.................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16144
                                                                                                                                                                                                                                                                  Entropy (8bit):6.734500709043853
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Ilxvu8CLLW6MbRWcYA6VFHRN7XYdFDR9z7W3F:+u6tFClXYPl9zy
                                                                                                                                                                                                                                                                  MD5:4FE8A8072F206B46ADDBAD0C61168D59
                                                                                                                                                                                                                                                                  SHA1:2270D75DFCC5B1A5F4751A5CD027D10FFB62B5B2
                                                                                                                                                                                                                                                                  SHA-256:C2949807B3BB6EC74EA786708335CAF5484082CE4901AA0D5D1B59608699A79A
                                                                                                                                                                                                                                                                  SHA-512:685424B68AC153B3E55333F48ACD2B182DFC477CB6F590DAF410EA59532A61BF429948BA9B4E74EE72B43E4E5F2B33E015A18D023249E416CA02667F9373EC0F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b............"!..0..............*... ........@.. ..............................o&....`.................................d*..W....@...................)...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ......................................|....chR.(.._.@...|.3.5.8,.b5.......?O..cT.....>...S....z....K.O.N.2.....j..5..y.........[,5...?..(b..A.\...HL,.....J*. iLBSJB............v4.0.30319......`...X...#~......p...#Strings....(.......#GUID...8.......#Blob......................3................................................"...........;.....2.....f.......$.................+...!.+.....+...[.+.....+.....+.....+...B.+...O.+...v.............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15624
                                                                                                                                                                                                                                                                  Entropy (8bit):6.8012541413925405
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:3t8YJXWKyWWOYA6VFHRN78RxB+R9zP5xE:3tdS2FCl8Rxw9zPE
                                                                                                                                                                                                                                                                  MD5:359100F45ACC2BA5FC6F2568B06ED5CD
                                                                                                                                                                                                                                                                  SHA1:466C5050B1844078C01A498C11413CCF626A7FA4
                                                                                                                                                                                                                                                                  SHA-256:6A993469374344523406736668802D19C0EB9A86A688348866A753B3340EAF33
                                                                                                                                                                                                                                                                  SHA-512:CC272C6E2DB59C6E890308A6C9D479B4C6F233FE450288AE02B37A4ABC8EE4E13ED8B32579F92EDD6D4A59CF724F8A5AEA67AFFD909ED0E695D1ECF57A9CA280
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z............"!..0.............n)... ........@.. ...............................y....`..................................)..O....@...................)...`......`(..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........ ......................P ......................................2.. u.Y.....b.I.oi...Z......^...NC.w.........B......Xuu.|].^.K.l...N7..D.j...N.Z[.R....C..f.17X.fWCW.i....d......*9.Uw.D.BSJB............v4.0.30319......`.......#~..0.......#Strings............#GUID...........#Blob......................3..................................................,.....,...3.....L.....^.....a.................w.................w.................G.....I.,.......................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1130656
                                                                                                                                                                                                                                                                  Entropy (8bit):6.715905432836471
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:Gzj22UrYDBFZmNt+Ll3tMgRrSkM7yTWHt8kJjaJlB9vNR0wyQPoVODzty2el+dj:CVuv+53rRukMZpO/kwhPDzw2el+dj
                                                                                                                                                                                                                                                                  MD5:B6D60C794F11C5487975EACB167EC9A8
                                                                                                                                                                                                                                                                  SHA1:0954C3A5693DA7B3F6D3730BC102451DA9E1B89A
                                                                                                                                                                                                                                                                  SHA-256:FD385C3D3C1B096801497CE0200CF96CBF6C7AA5BA28CD8E51A596FDFF79EF2A
                                                                                                                                                                                                                                                                  SHA-512:29E4E3A6D03D604DE8092A9D5E8A803C2DFF3A033F1FC613CC1F5411B6E8340AA38A7A375C4FD360B43A6A94A538FF768504A9A4C89CC39FE0057645FDC93541
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...H.)..........." .....4...................................................@......ht....`...@......@............... ..................................h...............(... ..h...xW..T...........................................................h...H............text...>2.......4.................. ..`.data........P.......6..............@....reloc..h.... ......................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e.s. .p.r.o.v.i.d.e.s. .a. .l.o.w.-.l.e.v.e.l. ...N.E.T. .(.E.C.M.A.-.3.3.5.). .m.e.t.a.d.a.t.a. .r.e.a.d.e.r. .a.n.d. .w.r.i.t.e.r... .I.t.'.s. .g.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):33592
                                                                                                                                                                                                                                                                  Entropy (8bit):6.486828889454643
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:kCWmaeWGlEYc9RSfX0lawccfNXuWrdzy+A2mcpPL91ePX6HRN7Ou0R9zUHm:k3GlDcWEAwcc1+Wc+bmUPLfoWOu49zb
                                                                                                                                                                                                                                                                  MD5:9D26813D0E4E76BF161DF6467D46593D
                                                                                                                                                                                                                                                                  SHA1:04100251143A0146FC28F54003E05F34B29C07D2
                                                                                                                                                                                                                                                                  SHA-256:3B581E1C257AF2B87AC6279BEAE8734E4A79CD3F86335168763BCEA8D495330E
                                                                                                                                                                                                                                                                  SHA-512:6BA1BE1142254F0F2755596ACF28825C0F43596D6D7D0CF942D40067BCE2B24C38BBED6C82E34301EBD6C21D807745723C8932C181139F9FA7A7BE0B3957397C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...-............." .....P................................................................`...@......@............... ......................................D........Z..8)...p..........T...............................................................H............text....N.......P.................. ..`.data........`.......R..............@....reloc.......p.......X..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...T.y.p.e.E.x.t.e.n.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16656
                                                                                                                                                                                                                                                                  Entropy (8bit):6.723329527099039
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:mEKi0jWhGCWefYA6VFHRN7P178FDR9z7Wxs:7KtCfFCld0l9z6s
                                                                                                                                                                                                                                                                  MD5:4564A146B250C1C73E59A6FED69FCA60
                                                                                                                                                                                                                                                                  SHA1:A9645B6D15EF8799AB5C0FA1D09FD5D01DFC3291
                                                                                                                                                                                                                                                                  SHA-256:F2DF432950E7751EA35A19C078376A7FEA079E739AD89C1A63CC45B41A07D18F
                                                                                                                                                                                                                                                                  SHA-512:D3A6B078FDEEB3492B20B442504CD743F84D08DD987E916F768B1222DFF81C73B4B7F72C1F8623695164A9715FC3C1E18ADF1EC2C5C877F54ACBF060ED4E2270
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............-... ........@.. ....................................`.................................8-..S....@..h................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................p-......H........ ......................P ..........................................MA.}.]....v"E.~..O`.....H....h...?.6..>..Q]]..D^b..$.T.sR.9.,.X#MlK.O..dU..J.ukG.\...GyQ...c...>.=B3 ...4.....X....`BSJB............v4.0.30319......`.......#~..........#Strings............#GUID... .......#Blob......................3................................#.....a.........z.<.....<.........\.......3.....w...U.....M.....7.....y.................................................<...........

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15624
                                                                                                                                                                                                                                                                  Entropy (8bit):6.782820861043016
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:WeP4MKrW4N3WmYA6VFHRN7RKVXC4deR9zVjx93:WM4MetFClRKVXC4dC9zVjn3
                                                                                                                                                                                                                                                                  MD5:1F4727345E2C6782DFBAADC9E9817693
                                                                                                                                                                                                                                                                  SHA1:F467E2BC1F7D1DE3FAEDC953DC8EC8707B3E9268
                                                                                                                                                                                                                                                                  SHA-256:4818E3F1CAD2A5B47078C068AB08DC0DFF4110FDC8B525A99523C3D0789BC75A
                                                                                                                                                                                                                                                                  SHA-512:B925E8166F9E8AB1FA3719FD95E792AD725C427818144E3012C27BD251B4BD109A7447F862D886017CE323FCB815EA7E02B73A4865FCDEC00D457EA51CC5CD17
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ..............................,R....`..................................(..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H........ ..@...................P ......................................|.....[s..Bn....g..X.}..z..4{.vf...........l.p......0..!..7.Q....W.u.Cg^.....b.7=.y.7.....n.."4.......NHeS..?s.P.........SBSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3..................................................=.....=...3.*...n.....^.....a.................w.................w.................G.....I.=.................$.....

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16176
                                                                                                                                                                                                                                                                  Entropy (8bit):6.777064915062182
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:LJMER3xxBRvWVxzWteWxNzx95jmHnhWgN7aIW5z45WXYz1X01k9z3AyoFewPe7:OmhLRvWVxzWtlX6HRN7moJR9z/Ke7
                                                                                                                                                                                                                                                                  MD5:8245CEBD42F6DDE00034133DD1E618B6
                                                                                                                                                                                                                                                                  SHA1:80A448FFBF1B6DD0FD033AA925D8793B440C486F
                                                                                                                                                                                                                                                                  SHA-256:ED43F130E2E71AE9C4160D887BDD004105E34B0D353DAFF1F12F7DE7CEFF6737
                                                                                                                                                                                                                                                                  SHA-512:B8202FDF61803A2C6A071D68F6AD9E0F153E54745044EC298505EED852DF25140992C4FF753C1E8E8FF42AB0FDDFC8D846E1EA1438295C4FD5C83A563663CB5C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0.............^+... ........@.. ..............................b.....`..................................+..O....@..................0)...`......H*..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ..x...................P .......................................B0.;...V#...4C.....t...C...5.I8./.....B..}.O...'.=?ky2...)L0..`.A=....U_.w.'Y......h.I..2Y........GK... |?l.=.p...Y..M.BSJB............v4.0.30319......`...h...#~..........#Strings............#GUID...........#Blob......................3......................................M.........f...........].l.................r...A.....9.....#.....!.........................................q...................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20232
                                                                                                                                                                                                                                                                  Entropy (8bit):6.598667978987244
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:MWspLW2LIrR/TvnaNEcv2YA6VFHRN7eCVCEpcR9zURG:4RLq/TvnaNwFCleCVCEpw9zx
                                                                                                                                                                                                                                                                  MD5:1EC59746C207B75224D1C170AB65D5D9
                                                                                                                                                                                                                                                                  SHA1:106EF6FB34DC9B2555A8723603828ADB736A312D
                                                                                                                                                                                                                                                                  SHA-256:3526B82CFB921E84C749DC54976503441D09FD36F569A0D574FB6819510AB7CA
                                                                                                                                                                                                                                                                  SHA-512:1DC5606DC607A349DB6A462D317CFCFAEC5D0444479FBC2B8C7F01D2E0E2443711C2E9DD0FAE7A702FB27ADA10DB52CFCDF2D5D7AA4C704911CC4B11516DF829
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ..... ...................................................P......#G....`...@......@............... ...............................................&...)...@..........T...............................................................H............text...`........ .................. ..`.data...D....0......."..............@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...V.i.s.u.a.l.C...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18192
                                                                                                                                                                                                                                                                  Entropy (8bit):6.628514917253588
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:c5y7UByGe9xCEV6mW8/NWMYA6VFHRN7/5FDR9z7WGM:saUByGePrVFClTl9zq
                                                                                                                                                                                                                                                                  MD5:C692B087C3167E7263397E9B34E94332
                                                                                                                                                                                                                                                                  SHA1:105D78B07E06E1C28AB69DC7E8CF4A7F6A71AFC3
                                                                                                                                                                                                                                                                  SHA-256:59692C49D72030F5259052EFAC5BD88BC2D3471450D3F081D64F1E60E2C502E2
                                                                                                                                                                                                                                                                  SHA-512:8484AF16073C9CDE88E67BECBE2C1C126FC4761323C7A2AD71D869447649A8529D23A3CB779F34E1FE388A0004BD9FEC4B801E1FBB8B527BC39BAC97AE48C2E7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..............3... ........@.. ....................................`.................................<3..O....@...................)...`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........ ......................P .......................................O...u..?...[\.....2..[ y..m....>...,....m..9..GS6...B0d:..]u^...O..E.......a.7F.......i.4#....iH..+..E.y%.Bc...Hm....n..BSJB............v4.0.30319......`...$...#~......l...#Strings............#GUID...........#Blob......................3................................O...............Z.............m.........,.W.........5.............p.....p.....p.....p.....p...E.p...b.p...z.p.....p.................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15632
                                                                                                                                                                                                                                                                  Entropy (8bit):6.822445014968599
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:NHx15LTIWASmWOpWjA6Kr4PFHnhWgN7agWyA8RwX01k9z3AeJRf/R6Lv:NR15LTIWASmWOYA6VFHRN7a9R9zrJRw
                                                                                                                                                                                                                                                                  MD5:80FC1F4FCBAEBFB32BC62687AB95A9BD
                                                                                                                                                                                                                                                                  SHA1:C20C3D1039A0B374393694CF0A7921B3FFB54161
                                                                                                                                                                                                                                                                  SHA-256:6DE0F580DBCCB63C2B6053AC81CDAFD7FDF5C8A1B177D336DD75D9E1DD176E0D
                                                                                                                                                                                                                                                                  SHA-512:B4E8AED6A8F81F3E7DD206FCCF06BE65E6186700CCDCBD741B08172AE7D6F74EDF2241E59AFDFDCA212DC5AE01B5399AF79F150D4BFDC0D8784714DC930CA133
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wi............"!..0..............)... ........@.. ....................................`.................................|)..O....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................t.[.%{*.d*&.WQ.O.!......."...F.z.NQiqD.....v...gCI?r.U............h.\</]....a..q}V.....d...t.S.. .I..7.^,s.....9..t..&..q.BSJB............v4.0.30319......`.......#~..L.......#Strings....P.......#GUID...`.......#Blob......................3................................................(.x.....x...f.F.................'.........L...........a.......................H.....z.....|.x.................@.....

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.450786767544824
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:JYWHcUWW2i5ctERQXIG6KMWFYpmGRIOBB/rSYA6VFHRN792R9zza+X:Jm8SAKMWFkmGakB2FCl9K9zL
                                                                                                                                                                                                                                                                  MD5:25B91230BE0B6D4FAC1B999ECF8FC76C
                                                                                                                                                                                                                                                                  SHA1:2D943785738A21D9C2026726C8500A606E022D8E
                                                                                                                                                                                                                                                                  SHA-256:1A536B20C7FD07A4B156C6C68048AAB24BDDC19786C98704E7EF11FBDDACCA0C
                                                                                                                                                                                                                                                                  SHA-512:B3AAE1F551B4CE642BF5B347F35186A1F7B8BE08F4F186971FB3D99991C24E5F04BDBFC70EF4A46DB87A420C95ED9E3C1AE0A7B893D5C7B5CF9A5193B1D4D64F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...j..........." .....H...........................................................+....`...@......@............... ......................................H........T...)...p..p.......T...............................................................H............text....F.......H.................. ..`.data........`.......J..............@....reloc..p....p.......R..............@..B............................................0...........................p.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):51984
                                                                                                                                                                                                                                                                  Entropy (8bit):6.480267391585499
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:sBfoK6fKUINsWW/z2rg8Z61rvZqhwFLXFMjKYuPt3FClT9zL:sBfoWUINcz2r1GqhwFLFMjKPPt1i5zL
                                                                                                                                                                                                                                                                  MD5:88512250F0E7ED903BFA2A457CCFBE9F
                                                                                                                                                                                                                                                                  SHA1:9020853BFD6C297AFCECDD12AF6014A57111DE7A
                                                                                                                                                                                                                                                                  SHA-256:BDA3738F6C45B50862D09DDE795B4FD27E31815DDC8918A16F63B2C4BACA5FB2
                                                                                                                                                                                                                                                                  SHA-512:B4419F8431B756B4262195013068E4E851A17B49972C9E3112BAF2C22EDF795E82C614A4B2BBA0613E60E873FC8093EA302E18F68B8E85FFB3504D04A9DBEAA9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...O............." ......................................................................`...@......@............... ....................................... ..P........)..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...I.n.t.e.r.o.p.S.e.r.v.i.c.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16656
                                                                                                                                                                                                                                                                  Entropy (8bit):6.677337531505305
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:tTBV9nrJAlvWmpLWNpWjA6Kr4PFHnhWgN7agWySnE8RwX01k9z3AeJR7oA5k:D1QvWmpLWNYA6VFHRN7+E9R9zrJR7o7
                                                                                                                                                                                                                                                                  MD5:514CEF61159B16DE1FDAED7056A3E0D9
                                                                                                                                                                                                                                                                  SHA1:7ED1FB6A569A7C9E8507876A094334CF9F3B0969
                                                                                                                                                                                                                                                                  SHA-256:A421933A4B9EEA4170EE68EF1754DBA590970599CA2F5B52F92DE7B0DC2769AF
                                                                                                                                                                                                                                                                  SHA-512:4450BB36331EF7B9F08F7527E3C3509393CBD58CAA27B1BDD877204CF0934C684CB78D81231B94868524AC5F031AC3E8DF234F55567CDF54691510CB2184D6BE
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............-... ........@.. ..............................~z....`.................................d-..W....@...................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P .......................................l....@..... 22....8..0..4|....."...~e._.=..x.?..1.....d.........*>]wD..3..g.f.."J...-.B.4..."w....S.|...z.a..G..6..7s.$.BSJB............v4.0.30319......`.......#~..<.......#Strings....$.......#GUID...4.......#Blob......................3................................9.............................p.........?.....g...................1.....1...}.1...4.1.....1...X.1...u.1.....1...(.1...O.............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):221960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.872789919122551
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:d1Bg53qlzkOGjMD1jUZVEJrSALXuDcWro1CS:jBgxqlz1GgDRKVEJOIuDcWcCS
                                                                                                                                                                                                                                                                  MD5:C1D83BB993CA11B212B0B44576DD31E3
                                                                                                                                                                                                                                                                  SHA1:E819306131C8FDEB9CF89DDB0C9DAAA5B517BF22
                                                                                                                                                                                                                                                                  SHA-256:CD2F87FC4EA7F88B52EB8521EDE7D36B80BB329FAA8DE163BC0C0491832D0F74
                                                                                                                                                                                                                                                                  SHA-512:29D3EA8C257893095C6B076F1F17D903A74EF7E7AD4AE52C87B7746168BEAB1D828D2EEB037FC1AF76C5CBC2A61629F04873248A96456340EFDAB1EE96341692
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ......... ...............................................`......~t....`...@......@............... .......................................T..x....:...)...P......P...T...............................................................H............text...1........................... ..`.data...P....0......................@....reloc.......P.......6..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...N.u.m.e.r.i.c.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):322824
                                                                                                                                                                                                                                                                  Entropy (8bit):6.695090576962379
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:5vZzvy5t66x3yEHAc1mZdOqZYqdKfR8wwWRwG/Y14CFYHQ9B7B:/vSiEHAc1mZ4q0uRawG+dz9B7B
                                                                                                                                                                                                                                                                  MD5:025DB3101A59BB29AFE8FCDC33D5590A
                                                                                                                                                                                                                                                                  SHA1:0AB913D0EEDAB18146897D866EBF785C78681439
                                                                                                                                                                                                                                                                  SHA-256:B7BA1AA2D0276DEDA176C1AD572C3C4FAD224FFCFEFC045896B52AD730673EB7
                                                                                                                                                                                                                                                                  SHA-512:3E3B9CE99C4BAC8E4B00C38E93DE59EAFBD0651F03A5E25E51916D399318B958FDCAF95AB961688C1318E117727E1D12EA2C43F0EBF79E4E0126CB3B113B924C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....V..........." .....p...R............................................................`...@......@............... .......................................o...........)......(....&..T...............................................................H............text....n.......p.................. ..`.data....I.......J...r..............@....reloc..(...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...F.o.r.m.a.t.t.e.r.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.730609288657777
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:kB9qNyVWbuPdB5W2YA6VFHRN7wYVMR9z2vn/:iayWudBzFClwv9zwn/
                                                                                                                                                                                                                                                                  MD5:686CD3BE26B4649484D56031B21627FC
                                                                                                                                                                                                                                                                  SHA1:4CE1F71FBCFAEE92A0D38F32BCACE1C4D077A488
                                                                                                                                                                                                                                                                  SHA-256:069AFF3EC1D53B0A2255DE6243A057E9B00AC6D01479F35382B2B16BB57A23A2
                                                                                                                                                                                                                                                                  SHA-512:9596C529CD67B37E7CBEEA03496B17DF4CD56D2519AB715D57290EADDA16D8CF72CD9F7A5E18AE10CA5787B856667BB9B05EC636C88DF1B4D8EEE2163FC3017D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O?..........."!..0.............~*... ........@.. ..............................UH....`.................................,*..O....@...................)...`......h)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ........................................_...DGw......GA..=..-G]V.....=.na........O.[.0.l'5d..a9.q4.+.*..v.2.cE.T...161..(O.........?.5..K. "....-...4.^y.'m..[.BSJB............v4.0.30319......`.......#~..|...d...#Strings............#GUID...........#Blob......................3............................................................3...........^.....a.......O.....O...w.O.....O.....O...w.O.....O.....O...G.O...I.........................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):28944
                                                                                                                                                                                                                                                                  Entropy (8bit):6.471330473213999
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:MHWFIBJBrW8trwhWKH0sdznMbKF+87makO2akSMHHDHEHsObEruYA6VFHRN7HqR4:MqCJBZtrelWW+8d8KnFClHG9ze
                                                                                                                                                                                                                                                                  MD5:A1968D6A862286C05F86EAC22F21B8C3
                                                                                                                                                                                                                                                                  SHA1:D23A410A8A4450EACE5AA230E088ACEB6743B29C
                                                                                                                                                                                                                                                                  SHA-256:938F43DB59DBED4F306492750DF1CA32B2F5F487AC00F1DCCF27830231F2DCB6
                                                                                                                                                                                                                                                                  SHA-512:8060EC092E97041AEC48E9F23BD27F8E8555161A74C213E182104E65F2B80E2285EB73F6A69EA4BFD8903936C59F958DE2F48AE297AF66942C6BE861B9C27DF6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....@...................................................p............`...@......@............... ...............................................H...)...`..(.......T...............................................................H............text....>.......@.................. ..`.data........P.......B..............@....reloc..(....`.......F..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16656
                                                                                                                                                                                                                                                                  Entropy (8bit):6.762030084243297
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:guYklmI8N5vBRMWsB4BBgWGYA6VFHRN72kFDR9z7WsKkR:OklmI8N55Ri6BBEFCldl9zn
                                                                                                                                                                                                                                                                  MD5:53330C1C8FD918CA2141C0039D72BC1B
                                                                                                                                                                                                                                                                  SHA1:51B86E844A3655398ED9DE18D7490429BB0F1E6E
                                                                                                                                                                                                                                                                  SHA-256:0F8A0BCEFBC1F0E854CFCDBA028C53C8D658B3CAA26706DE6D1BC89A92CB4C22
                                                                                                                                                                                                                                                                  SHA-512:D4F1CA15CE03EC02BD009B0D5E03612AF2C34C19E8D50F2CFE39C6CFD9C7D687CC95292F5A5548A11C7ECB3339BA816659BE535B6403B2F3BC955E8587DAE199
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............-... ........@.. ...............................v....`.................................p-..K....@...................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P .........................................].h......[..ja-R......Q....GD..>.U ...x..6.;...-.a.9.>_...J../.A...D.}Udr..mV......Q.....E.8.Sv..V7.Ov.5`.Z..XN.Q>EBSJB............v4.0.30319......`...d...#~......d...#Strings....(.......#GUID...8.......#Blob......................3..................................................f.....f...W.;.................Q.........=...........R.......................9.....k.....m.f.......................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17672
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6341633149040415
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:y6EvDj8NluLWgMM4BHWdYA6VFHRN7J/ecTR9z6Dw/:y6EvDj8NsPP4BGFClVzV9z2W
                                                                                                                                                                                                                                                                  MD5:C68962D082AF9B2AA66574EB7CC19E32
                                                                                                                                                                                                                                                                  SHA1:EB28F7AE0ADAB40F950098E6AC4C24EFA7A16031
                                                                                                                                                                                                                                                                  SHA-256:62C5827EB74A101342D3C02EC909B6F9F2CEF8C871A21AF93129BDAA16003EB7
                                                                                                                                                                                                                                                                  SHA-512:99BB410F23E4FD2AD46F8ECAE38C881BBAB0A6252DEFB25EB53CFF659323586A28B269B1061B04E23D0433F4E62D8E4A5260C0E80DF5C79A6DC19C137E06B4C7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............0... ...@....... ..............................B.....`..................................0..O....@...................)...`......./..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H.......P ......................./......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....................f.......t...............7.......t...=.t...M.t.....t...B.t.....t.....t.....t.....t...e.w...&.w...r.........................T.....T.....T...).T...1.T...9.T...A.T...I.T...Q.T...Y.T...a.T...i.T...q.T...y.T.....T. ...T.....T...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):42768
                                                                                                                                                                                                                                                                  Entropy (8bit):5.818262385725449
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:YBV0jdpFKYl5f4bGRi2xVbcVT4p8JOaFCl6l9zPh:kedGYl5f4bGR3G04OWi63zZ
                                                                                                                                                                                                                                                                  MD5:B515896FEB8F4B378E9F6FEE22F5F1E6
                                                                                                                                                                                                                                                                  SHA1:348411DE58A4156B649EE9C6277B2735D88345D5
                                                                                                                                                                                                                                                                  SHA-256:6B9AF60B2B7947B7B960EF3012ADC7A81E5ACF6E990BC3FE6AF51CB13E07F91C
                                                                                                                                                                                                                                                                  SHA-512:9889D61E5F03A59B54E80D2DB49606D13DD5AFCF45E0EAEA4EFD34BF46C66FE30780A68DBD920C0C1424855AC51F62DD836D010902573113C8E93869DB6A9C09
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yU............"!..0..t..........^.... ........@.. ...............................l....`.....................................W.......X............~...)..........d...8............................................ ............... ..H............text...dr... ...t.................. ..`.rsrc...X............v..............@..@.reloc...............|..............@..B................@.......H........ ...p..................P ..........................................`.).v..v....2..#TU.eMX=.I..r...k@$.#...```.S.J...D5..........'..@......7...k.%Y........ 3*.j.......eV.{.3>..g....G.~|]iBSJB............v4.0.30319......`...l0..#~...0...=..#Strings.....m......#GUID....m......#Blob......................3................................T...............'.[3..".[3.....2...3....e.....>.. ....<3....<3....j!....j!....j!....j!....j!..q.j!....j!....j!..R.j!..&.[3..........

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):215336
                                                                                                                                                                                                                                                                  Entropy (8bit):6.694443379581404
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:LcFFAFBS7nsE9WXBeAJRAipIx7kgmlZnFW2iBeVICTiupU8TVUnVZ5PDMXZoKcQf:K7sE9kesRA2imlZo2XZcn3m
                                                                                                                                                                                                                                                                  MD5:9845B4D023FABDEFCFECDA062FC68781
                                                                                                                                                                                                                                                                  SHA1:DF17714A108EE4E81F8E0B32F3AECEA03ACB9157
                                                                                                                                                                                                                                                                  SHA-256:57F85C61E832FD5DDB91A3C161939CD8DB72A8A6DE449A83F5C3070E6DACF48D
                                                                                                                                                                                                                                                                  SHA-512:49F186BD9DA01A378D9DCB1D9EF575A653B0A6779F3196FE318E6C47661857BF2A15231B0FB552014D1F3DB7F04AB990B344DC7F354711ECB1321FE40BE16786
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...|..........." .........$...............................................@............`...@......@............... ......................................@W..p.... ..()...0.......#..T...............................................................H............text............................... ..`.data...n........ ..................@....reloc.......0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):94480
                                                                                                                                                                                                                                                                  Entropy (8bit):6.450155185151261
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:vv1N9Mf5d/pMIJ7nZUyOuX3Gpafbqb9/8kGOQwQ7rzUU3q2bP6vOVFp6i/3zi:vNnMf5dhbJ3OuX3GpEbq5hOVys3m
                                                                                                                                                                                                                                                                  MD5:4CD484994224EC26CC86A61743DBFE6B
                                                                                                                                                                                                                                                                  SHA1:1BE9B7AA319B5F20FCA74C98BF57758FF7FCEDB6
                                                                                                                                                                                                                                                                  SHA-256:BC4EDCFC6BB6D79E110FBA0D203D96B5436D99969AD71C76A423A79410378A0F
                                                                                                                                                                                                                                                                  SHA-512:8CADDE72709AA52921C6175517B6DCC51D97D4207A1833A6071B876CFDC71BE0EFEF2CA65EB99E5B705A85E4F07CE363A0BBB55BC38C4BD6BE1483A5A871D6C4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...T............." .....4...................................................p............`...@......@............... .......................................-..<....H...)...`..<...h...T...............................................................H............text...T2.......4.................. ..`.data...!....P.......6..............@....reloc..<....`.......F..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.l.a.i.m.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):486664
                                                                                                                                                                                                                                                                  Entropy (8bit):6.690959844635634
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:SLV6FPkjfmpzkb1gH0BEuUWZpQmMcxhRl3W1E:RHFcY0BEuUWHQmMcxhC1E
                                                                                                                                                                                                                                                                  MD5:6285B8AFEAF9C4ECC2519A2ABCDA4A5D
                                                                                                                                                                                                                                                                  SHA1:AF11E8E1F8E904C93C47A28CDC606E66D2AB9C38
                                                                                                                                                                                                                                                                  SHA-256:B48DC65ABE78E81118D4C382C80650F5AE0D99AB6FBEBCD4DEAAB00FF7E0DBB8
                                                                                                                                                                                                                                                                  SHA-512:78DF10774CF735C6518E91D50ED5B2A0906F1174CF5F7A42B3328C5B688980540576F43BA73B133E2D2C1DB57D0A1AF8D1880DE02F234EBDC57B6F2E2D5400C3
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<............" .........Z...............................................p.......J....`...@......@............... ..................................h........2...D...)...`......(0..T...........................................................h...H............text............................... ..`.data....P.......R..................@....reloc.......`.......<..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):189616
                                                                                                                                                                                                                                                                  Entropy (8bit):6.63337493461881
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:G6RmWBsH04GekCQUVP2xrwjy09JN/KBWAUQ335BotiEqKaMJDByGjLz:aWBs3jikjUBotrJMGjv
                                                                                                                                                                                                                                                                  MD5:6DA6288454299B3A91665D9A3FFD66BD
                                                                                                                                                                                                                                                                  SHA1:D2E26B1D89E7817899F6AD2898AC704CC6F2CD59
                                                                                                                                                                                                                                                                  SHA-256:89B1575E5F32F368B53496A3F15529FEDE58C0324E1A12FCD20609D6CA4DAA63
                                                                                                                                                                                                                                                                  SHA-512:A0301422806C16AA8990AC2936EB62468E089F4786909C41EAFDC4E6B0A40DBB7D3E1D544A954C705E8584E22FF30172A9909A860BACBC41C234BB640892949C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" ................................................................\.....`...@......@............... ..................................h...lO..X........(..........."..T...........................................................h...H............text.............................. ..`.data....).......*..................@....reloc..............................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):93960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.412269331705843
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:Rh4T10wJ4hT5wzwW7c1LyoOeSRzxIdvaJyiyTzk0:R8SH5wzXcLyheSRzxavaQjTY0
                                                                                                                                                                                                                                                                  MD5:C048A59F3891B02B3BC8A194F3D21026
                                                                                                                                                                                                                                                                  SHA1:30D9CEB4188CF4A4B17138CAEFD3B2451B05D292
                                                                                                                                                                                                                                                                  SHA-256:59FAD34EEEE26623D44EE9D541D0E53D89A4D8A42BFF59FE466950A771BF4CFB
                                                                                                                                                                                                                                                                  SHA-512:27674625D2D249BF794DBC7F893FA403245A78B3D3DE7E32C72EC9CC7F496C2AF6752FC87B4599462128BDCBDDDF459C6754E1FDFF6148E0EFB7255FF72DE270
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....&...................................................p.......|....`...@......@............... .......................................*..\....F...)...`..(.......T...............................................................H............text...C%.......&.................. ..`.data........@.......(..............@....reloc..(....`.......D..............@..B............................................0.......................p...(.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...d.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32008
                                                                                                                                                                                                                                                                  Entropy (8bit):6.247706814220908
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:h9WAmkijRW8bwPV0D/F/pQ+1+HCeqtwlSYmxNOcVIFN2PiYA6VFHRN7xRxB+R9zD:ALeqylSYm71VI6qFClxRxw9zfr
                                                                                                                                                                                                                                                                  MD5:9648F56C224A96801B518AE5386AA184
                                                                                                                                                                                                                                                                  SHA1:9896F6B1D9A296BA0FF244A555814D52D914431C
                                                                                                                                                                                                                                                                  SHA-256:FFF0AAE4CAB8C18D606E6246FE42F290143DB0D3A88A1A1229A77D8BD8441E67
                                                                                                                                                                                                                                                                  SHA-512:C73F115BB4D0F40FF4723B634F74B909F29142A930B90431FA4395B7A6EE4FF3A5715A9D141D92D56448578D6A325637207644A330DA92D2756D363840D8AE8D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....N..........................................................j.....`...@......@............... ......................................@........T...)...p..........T...............................................................H............text...'L.......N.................. ..`.data........`.......P..............@....reloc.......p.......R..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...b.%...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...O.p.e.n.S.s.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...r.%...F.i.l.e.D.e.s.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):134832
                                                                                                                                                                                                                                                                  Entropy (8bit):6.565847770018715
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:nmpOj/BZX3krpmsUjMM+JbVUowS0hcbGWbrrrrrrrrrrrrrrrrrrrrrrrrrrrrr0:OOzBZXCPMpcbGnKk
                                                                                                                                                                                                                                                                  MD5:5CF4F3F906B7DC346D47B0796B2D621D
                                                                                                                                                                                                                                                                  SHA1:FCF0DE67C5D07ACE0D8951C2537636F99DE8D300
                                                                                                                                                                                                                                                                  SHA-256:77ED6C9832BBECAE32FE536D891EDA847405FA6AFE8801BE05B37FF6F759D299
                                                                                                                                                                                                                                                                  SHA-512:B9F501D60EB7CF60480D2BA9F2115FB99A88E9D2014E36FB49CEE0654C4FF79E219A7F3E0E838E6902ECDE1187386C0819A39B88CE171B4207724EC05C39287A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....e............" .........(......................................................N.....`...@......@............... .......................................;...........(......d.......T...............................................................H............text...T........................... ..`.data....".......$..................@....reloc..d...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):151712
                                                                                                                                                                                                                                                                  Entropy (8bit):6.659992108362537
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:bhGUnc0ENS370LLFNAzreyfs2A1upqcyeeRAr:lvc5Np5N1Os2fmI
                                                                                                                                                                                                                                                                  MD5:64AEB21B8C192B802F2C7DBF18F9C2E0
                                                                                                                                                                                                                                                                  SHA1:3740D3BC11D4F46909FE0F552B146B473922D70C
                                                                                                                                                                                                                                                                  SHA-256:2DA3E9DCA14992E113B470A0D711A51FD265D7775D9AFFA7DBDF6BEC929601C0
                                                                                                                                                                                                                                                                  SHA-512:BC979D59F8F3D3AE8B0E7E9E4A7F76A6BE08D48A8940B014CDEA532B6EF10DA2DBE9D528A4F2ADEDF98D23C3A5B287F1570B1A0CDCC68FEEC5D7C1C3C0351425
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....J............" .........$...............................................P............`...@......@............... ..................................h....F.......(...(...@..........T...........................................................h...H............text...e........................... ..`.data...U.... ... ..................@....reloc.......@.......$..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15640
                                                                                                                                                                                                                                                                  Entropy (8bit):6.835682351794018
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:mFQiRxx1WjWVUFfW+WHWxNzx95jmHnhWgN7acWel9HeAwKUWX01k9z3Aia+6w7Eu:mT/EWiFfWTIX6HRN753HO2R9zza+d1
                                                                                                                                                                                                                                                                  MD5:66B8459A7C59846CD44FF73680C4D57C
                                                                                                                                                                                                                                                                  SHA1:5521416312890B86C416345F22DA8E1322E2F8E5
                                                                                                                                                                                                                                                                  SHA-256:10BDF418B380871231F3DB7EC68D756E5935D4EF39F97C017B07E5A4308C7468
                                                                                                                                                                                                                                                                  SHA-512:6BF64AFD3EA6D2D3EEF3EE8D278FC6504E7DB694AFDD5191883C3690B76C67F4F234F0B6CDF4945A5A705BC1B90A9C29D9CA4F3066AF18BEC2179230CC85AFF6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i............."!..0..............)... ........@.. ....................................`..................................)..S....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................H.....+C........Pe..w.G.....Rq...H...O..d.(.^...d...=m}..o.....d.32...r5\.%4u...l[....`P....5.pq:._..c5k.j...MDRBSJB............v4.0.30319......`.......#~..X.......#Strings....X.......#GUID...h.......#Blob......................3......................................F........."...........;...........f.......d.................k...!.k.....k...[.k.....k.....k.....k...B.k...O.k...v.............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17680
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6083676504439905
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:AiSEs6760DX88Hg10WGlD5WdpWjA6Kr4PFHnhWgN7agW43fKUSIX01k9z3ARq+da:Axj10WyD5WdYA6VFHRN7xP2IR9zojda
                                                                                                                                                                                                                                                                  MD5:8D40E6093D4EB840E2480D6E383EB442
                                                                                                                                                                                                                                                                  SHA1:2EA0372488E3EFCFAB7074751DF8B60309DDBB0C
                                                                                                                                                                                                                                                                  SHA-256:9DDCC239CE0E75AA7845E6DE8B31ADAA25C6B5EEE78D75EE904CDBBED7C7BBA0
                                                                                                                                                                                                                                                                  SHA-512:9FCC45BDDCF4B187B15C8EDA5E6CA40D7825B7A6D1142772EEA9B70A1F9967D7A9C709E513B0EB91A2200F301A72F356142408861DC4FEA27AA0CF825C64A838
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............0... ...@....... ...............................J....`................................../..O....@...................)...`..........T............................................ ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......P ......................`.......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................&.................................%.....?.....^.......S.....S...t.S...+.S.....S...X.S...u.S.....S...(.S...D.H.....H.........F.......{...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16648
                                                                                                                                                                                                                                                                  Entropy (8bit):6.715278782126483
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:alWpWnizlpFWqYA6VFHRN7qcTR9z6IkON:a4lFCl3V9zGON
                                                                                                                                                                                                                                                                  MD5:AA81502801E5AF25A5F74303D00A755A
                                                                                                                                                                                                                                                                  SHA1:590784EF4329D7F411979FFB77EA673C03B0539B
                                                                                                                                                                                                                                                                  SHA-256:F72F7BC1E1F16D3CF4F6C3162862F7F97B9108186BBD929B55DD94E6E98584D4
                                                                                                                                                                                                                                                                  SHA-512:509F31F1487081DD1D2B303B9C2F60E1620AF7D1D999A036B4B91FEAB085CD86101453E552993D1B913C5239AD575CC224708B3B6E23054E2E139B86CB66125B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.6..........." ..0..............,... ...@....... ..............................SS....`..................................,..O....@...................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ......................H+......................................BSJB............v4.0.30319......l.......#~..<...X...#Strings............#US.........#GUID.......P...#Blob............T.........3..........................................o...........w...7.w...v.d...........U.........~.....B.................a...................................".....\.H.....w.................^.....^.....^...).^...1.^...9.^...A.^...I.^...Q.^...Y.^...a.^...i.^...q.^...y.^.....^. ...^.....^...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):871176
                                                                                                                                                                                                                                                                  Entropy (8bit):7.50414684491355
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:L47xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPfREDfP7/1qiVhIWCC:LK9km6k/IwRYbiBeKGCUREDrZV2hC
                                                                                                                                                                                                                                                                  MD5:9D199E9F27CB473674BAB5BFC70F6871
                                                                                                                                                                                                                                                                  SHA1:F7069C033BB340E81C1BE7BD4BC062EE21347B09
                                                                                                                                                                                                                                                                  SHA-256:5FA8A35279B15DE005337AC2B59CDE11A147C21143B12564A453F1CD44566170
                                                                                                                                                                                                                                                                  SHA-512:D46DA52295442A82DFDD6BD3CBB2949A79CD8B51B31EB1E176476E455D216D1C7ED55ED6F4B44289A3081C8A9C06020DE29C8F0D0D22CA40AAC117D043F740CF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....g_..........." .........&...............................................P............`...@......@............... ......................................LJ..L...."...)...@......."..T...............................................................H............text............................... ..`.data.... ......."..................@....reloc.......@......................@..B............................................0...........................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16144
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7268764981814115
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:mNZvlXIW6zJWUYA6VFHRN7cUvY2IR9zoOaC:4s1FClZvbU9z3X
                                                                                                                                                                                                                                                                  MD5:DB5F67EC7D4CEFE625549E650C2B783D
                                                                                                                                                                                                                                                                  SHA1:0EE4FB5F26575B570122AE3C9A184DDD0B3EBA49
                                                                                                                                                                                                                                                                  SHA-256:3CC4AFFE60DC1DE5F66706B39A24D7E96D708A463A9A92A05288D6BA246E09E5
                                                                                                                                                                                                                                                                  SHA-512:4D86E8E161CEFB0596F1D98D52D18107CE51D6155D42C1BDDC200710BCA88317B01B2E0E84C39E85E7E70E9023B2AFB2E79737F3ED32973EB0D3106806F4247A
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n............."!..0.............n*... ........@.. ..............................\.....`..................................*..O....@...................)...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ......................................Q.(..e.NMO`._jh[......Js....o H.......0-.....w S...a...6.T..q../..0........,)..@LqS<.......a....hG.X-.o..3./.!...~#.{>.p0.B[...BSJB............v4.0.30319......`... ...#~......H...#Strings............#GUID...........#Blob......................3......................................v.........I...........b.............H.........$.....b...........H...................................i.....v...................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16160
                                                                                                                                                                                                                                                                  Entropy (8bit):6.78497387239177
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:d+gBIojxxXjWfPNWRxWxNzx95jmHnhWgN7agWQY/TAgfcMbnoQNpX01k9z3Abte9:dJNjWfPNWRaX6HRN7sT/7R9zCS
                                                                                                                                                                                                                                                                  MD5:3E33747D79B6584609C60EF5A8318F5A
                                                                                                                                                                                                                                                                  SHA1:BCA2F7FBF2E45DC02C40C263FEE708624C9102AC
                                                                                                                                                                                                                                                                  SHA-256:068F309AC98BD15B1EFF243759661CC21F30E1B4CC02CCF8317233FA31D3B7CA
                                                                                                                                                                                                                                                                  SHA-512:4624C53E6E7F02E4A064FD0239C0B4B8B18A325470E9DFE051600E2CE7B1B53F7C18D5D51BAE978FA2216E0ADD928346EDA41D4F210A3556C7A7761B5D257E83
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.{..........."!..0..............+... ........@.. ....................................`.................................P+..K....@.................. )...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................M...V_.".....Y.).......lLj3..l.oh.,...R.M7....Mx.*q.cV]...L.n=..^..1.x...#c...Q...~..m8.y...ACz3.X.k...[.8A.g.n.b}.....BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...,.......#Blob......................3................................................"...........;...........f.............................!...........[.......................B.....O.....v.............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):131376
                                                                                                                                                                                                                                                                  Entropy (8bit):6.512717394823719
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:ze6mI/UjfYxSwKqqOAl/Rn0nzg9RaBiTV:q77jfY8BSza2iV
                                                                                                                                                                                                                                                                  MD5:F596694C6924FFA61DD21A0F36FDD0BD
                                                                                                                                                                                                                                                                  SHA1:21C64C8FBDC2AB6065E70E6A500537137FEF60FD
                                                                                                                                                                                                                                                                  SHA-256:146CC7B373565F4B88558690F9B2132CC308719C72AC2603F7199E0EC6A21FE7
                                                                                                                                                                                                                                                                  SHA-512:36644B0A2842C8BD5A7EA6F6F435916FD9ADE2F3039AA7C7652E6EA85E41019B0D9470DFA7B1D99A766FE9332521D87605E644FAF9749060C2016277BE89DB66
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...}.&..........." ......................................................................`...@......@............... .......................................0..........0)......,...h...T...............................................................H............text............................... ..`.data...K...........................@....reloc..,...........................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .e.n.c.o.d.i.n.g. .a.n.d. .e.s.c.a.p.i.n.g. .s.t.r.i.n.g.s. .f.o.r. .u.s.e. .i.n. .J.a.v.a.S.c.r.i.p.t.,. .H.y.p.e.r.T.e.x.t. .M.a.r.k.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1486120
                                                                                                                                                                                                                                                                  Entropy (8bit):6.807053388231781
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:BMUw61/OBH5KoaypUegQ/INE5bk9u7hInuKqO:C6mwZAUegqINGg3uY
                                                                                                                                                                                                                                                                  MD5:4281F86C7DA4EC32A1579D04D1A34467
                                                                                                                                                                                                                                                                  SHA1:B6D46920575587878DB36A68FEDFA6FEF09A2A27
                                                                                                                                                                                                                                                                  SHA-256:0EFF9FFCA65F556D8BE24E4EDDA1D08640A6D040082B8D34B993EC292BAC10FF
                                                                                                                                                                                                                                                                  SHA-512:697E0BA5BF9B97C300E5B66E61608285C1CE0E4B48B52C5BAF5CA33FB0D405F72E2AA5A50C7E6E6B8C5A7D922232189E1EC26F2B967977B74579572D3B772133
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....8...J............................................................`...@......@............... .........................................L.......()..........HP..T...............................................................H............text...x6.......8.................. ..`.data...O....P...0...:..............@....reloc...............j..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....I...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .h.i.g.h.-.p.e.r.f.o.r.m.a.n.c.e. .a.n.d. .l.o.w.-.a.l.l.o.c.a.t.i.n.g. .t.y.p.e.s. .t.h.a.t. .s.e.r.i.a.l.i.z.e. .o.b.j.e.c.t.s. .t.o. .J.a.v.a.S.c.r.i.p.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):125208
                                                                                                                                                                                                                                                                  Entropy (8bit):6.692637451202541
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:jzHXIurk9aiG9fxBFXRPxlhzKhtTwg8AHWDV5yWR63:n3E695BFXRplhOzwDDjRM
                                                                                                                                                                                                                                                                  MD5:CB464FDA974470435C4CA140B4FADA57
                                                                                                                                                                                                                                                                  SHA1:D19EAB3F2D239CB5DF052757838D33332317C136
                                                                                                                                                                                                                                                                  SHA-256:EC11B988107C97601DE33DEF84F7259A36BC3007FFD9CDB584891114F9B41E46
                                                                                                                                                                                                                                                                  SHA-512:AEBC1EAA4B2687D24C8A5B408AB16D153B576B9832F41A553F28D576D545451D2259EDBD63960D9D7AD3723D3BA5CE36346089A77E515AB807FA9CD521ED7711
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........*......................................................).....`...@......@............... ......................................T7...........)..............T...............................................................H............text............................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...t.....0.0.0.0.0.4.b.0...8.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .p.a.s.s.i.n.g. .d.a.t.a. .b.e.t.w.e.e.n. .p.r.o.d.u.c.e.r.s. .a.n.d. .c.o.n.s.u.m.e.r.s...........C.o.m.m.o.n.l.y. .U.s.e.d. .T.y.p.e.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.733717704448286
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:fDt+HYCHcXuHV2HDHtWcNHWZYA6VFHRN7V04MR9z2WA:TzeFClVU9zxA
                                                                                                                                                                                                                                                                  MD5:05AF5514B2968C6042C5B14CB5401F23
                                                                                                                                                                                                                                                                  SHA1:3B5825931632C7CA230CA1FABD9EBAD1C8304EB3
                                                                                                                                                                                                                                                                  SHA-256:5C1B1C2129E8A201CB583F6595BFD9339D2A6D52F4F371C8013C85147EC94E32
                                                                                                                                                                                                                                                                  SHA-512:58F41A7BE222226A3BEF4271DF0555C6B6C3668C007153C98ECC422D0113F50FDABA0036A2F285D625B5D93E7DCB3F17BC9AA2C8E1193C353D6453504FFA1AD9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c............."!..0.............n*... ........@.. ..............................."....`..................................*..W....@...................)...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P .......................................3.2.]].4..k...)~ys.t...2.>=..+W.3.l. ..Q..9...."......>drf.mAz..*.=.g..\|EDps.......m..m.c.v%...yJ'-..E...6...*s]:...j.....BSJB............v4.0.30319......`.......#~..x...H...#Strings............#GUID...........#Blob......................3......................................................4...........7.......c.........t.....}.......c...V.....{.................9.....................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):505608
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7763170175701335
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:Q5EzXX03uPIhSTcNO/LSsjM5REz4sr4CGFHD6ioscEu/L2SJkSGskfT5v3P1m9rM:Q5Ib0CGFHuioHEdS2vBb5v30COTxwZ
                                                                                                                                                                                                                                                                  MD5:E332D97CC4AE5DFC6606640A64E7A766
                                                                                                                                                                                                                                                                  SHA1:ED7C0E78AEC95A6AE10F9DFA7B62728C06E4744A
                                                                                                                                                                                                                                                                  SHA-256:3411CCC0B6BA1FF70D550A8B7D2D3A373A79584B36C90C06D7BF400AA74EB39A
                                                                                                                                                                                                                                                                  SHA-512:900ACB2D761A285D7F0E97C9F548D166535329F722D99B285715F284C0C1392AFBEFF44A9E67DA2DF2866177A6778CA9D4F038C3EFF5560B872DB4398D56F5D8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .................................................................6....`...@......@............... ..................................l.......HB.......)..........x"..T...........................................................p...H............text............................... ..`.data...J...........................@....reloc..............................@..B............................................0.......................\.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........t.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...P.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.P.L. .D.a.t.a.f.l.o.w. .p.r.o.m.o.t.e.s. .a.c.t.o.r./.a.g.e.n.t.-.o.r.i.e.n.t.e.d. .d.e.s.i.g.n.s. .t.h.r.o.u.g.h. .p.r.i.m.i.t.i.v.e.s. .f.o.r. .i.n.-.p.r.o.c.e.s.s. .m.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Extensions.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.821262984361922
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:Z7z05p091rcmOD5RnGWSNXW0YA6VFHRN7xWMR9z2cO:Z7gAuEPFClz9zq
                                                                                                                                                                                                                                                                  MD5:7175CFF820ACB9389C713410DD582063
                                                                                                                                                                                                                                                                  SHA1:F1C47E2B46084FEFFB44BB88D51A3932FB1F3042
                                                                                                                                                                                                                                                                  SHA-256:D060226E814A1DDF9F607AFAE51F7D5698F8E435A63FCE107E78239E349BA2AC
                                                                                                                                                                                                                                                                  SHA-512:BCDEBAE2F49084BC3F5AB9097715235E6C0A2257A783B14EAE49F2BA16DD59DA87CDE24DF5CEE6732194F8146B34B0ED4428BC2847E5ACCDA95FF637EC32A5CD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?x............"!..0..............+... ........@.. ..............................l.....`..................................+..K....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ...............................................W'Z.H......l..j.d....&v..j..\.Q_u...]><{Hr..1.+K....L..=........N.....3.M..."*B.8Q.e.....3.~:..L...Qs]..3........jg|BSJB............v4.0.30319......`.......#~......8...#Strings....(.......#GUID...8.......#Blob......................3..................................................z...v.z.....H...............G.......[.....[...............]..........._...........9................./.z.....p.....

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):139024
                                                                                                                                                                                                                                                                  Entropy (8bit):6.702745878398023
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:brCD+EGnNfGAKUDXxT3LBzdQZ4/FJg9C5OR291oVcJUQz:Hw9GNGAKUbxxzKZ8zaCUQ
                                                                                                                                                                                                                                                                  MD5:906D0531114C584A2E5EA50BDA99DDC2
                                                                                                                                                                                                                                                                  SHA1:FF650B1743C72683BC0019DB15332D01DE6ED993
                                                                                                                                                                                                                                                                  SHA-256:BF2C3F9EBC2A48493796F4002984F43E4630A2DB3FD26F70BD79355F3FF1D563
                                                                                                                                                                                                                                                                  SHA-512:9F50718BA3C3EC370D3AFAB850B962539CD3C84FC222485DE68289129C0443DD880B86CFED46F68CB9860CB8984E9C09386D3B756B908E160FE55CBEEC2D47AD
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....\..........." .........*............................................... ...........`...@......@............... .......................................;..(........)..............T...............................................................H............text...b........................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g...T.a.s.k.s...P.a.r.a.l.l.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17192
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7117476098810185
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:5vCj4AG3tNKiuqFzTR9WHRzWGwYA6VFHRN729WR9zjD:9Cj4LNRuN7wFClF9z/
                                                                                                                                                                                                                                                                  MD5:0822C689624C42040E5E6F38752AF2C8
                                                                                                                                                                                                                                                                  SHA1:21002E79AE998FC7B5453C77F09CB036710DBEAD
                                                                                                                                                                                                                                                                  SHA-256:E9B81690E9D7B3D67C32EB5948D63CC3E1136FF8FA19A19F2A0F5572FF6F8788
                                                                                                                                                                                                                                                                  SHA-512:1D5D2606C5FEB76EC2187098090DD928C4491EA69A5A46BD5ADAFD2EB8052CAE050F473AA8C078061965960CCBD126543B684EA18EA3D9DD50B8C1C8D0D057D4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....L..........."!..0............../... ........@.. ..............................}.....`.................................h/..S....@..................()...`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H........ ......................P ......................................c.-..6.....f.7.......Y..C..{,.K..V[v|..P....t"......[c@.......l.,.tB.^K.i...$D...M.f.+..Vn.J......l.#......_.b.....S.iP..BSJB............v4.0.30319......`...P...#~......|...#Strings....,.......#GUID...<.......#Blob......................3................................/.....Y.........\.7.....7...u.....W.......&.....t...7.....@...........[...................................|.............7...........

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Thread.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16144
                                                                                                                                                                                                                                                                  Entropy (8bit):6.760009477775305
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:x6z2EZZV7DiWcZ7WjYA6VFHRN7/QD9R9zrJR+:axa0FClYb9zG
                                                                                                                                                                                                                                                                  MD5:3661BDD366B6EE1834577CB553D41C88
                                                                                                                                                                                                                                                                  SHA1:35DB9E13602F99C97F505E12624EFF3E873FD553
                                                                                                                                                                                                                                                                  SHA-256:E5575C2CFB312E9239978A2D439802F4D8D55C776D10B763ECBE20D2057982E9
                                                                                                                                                                                                                                                                  SHA-512:43C774556594FBFCC437B1A02FB1C938624E6D379985731A41F78E3782ADA4D8C143D32886794A7ED865FC917378C427DF90144D364F9ECBB8ADDF18CD129FC6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D{B..........."!..0.............>+... ........@.. ....................................`..................................*..W....@...................)...`......4*..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ +......H........ ..d...................P ......................................Lz.F.E.8B.1.@'.....mL.6%"U?B._....s.2.../}}....A.../yt >'\7...8r...v7..]..q.3.P..O.(.....r..E..Z...!@.z.v.......:....j..BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................].........U.@.....@...n.....`.............y...0.!...9.!.........T...................................u.............@...........

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16160
                                                                                                                                                                                                                                                                  Entropy (8bit):6.712802666065952
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:ZJ92mRTaW/pBqWEFvWecX6HRN7NtFDR9z7WJFcHv:Zv8v0WNfl9zaFcP
                                                                                                                                                                                                                                                                  MD5:EC4FF753DA77ED8B2886F1E405A35DBB
                                                                                                                                                                                                                                                                  SHA1:5EFD154E9DB2D9F5428ED5C7E2CD2E7A6C284641
                                                                                                                                                                                                                                                                  SHA-256:AA213B5B4B02F04217B98064E0E6C8E67D4CF7297035578A8DEFF06044BC9427
                                                                                                                                                                                                                                                                  SHA-512:217DCD7F7BAD548BCDBFFAA24B41A56C9CE42BDBF6A08EB1726B58D3CAA0495D8492B3843EA19143D09B7B25B33AA245F45DBF88CC59CA476FBAF9736D977B40
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............*... ........@.. ....................................`..................................)..O....@.................. )...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P ......................................~+xk.f..{...,....H...P$../$..U.x"..ve........{`.....[....=QS0...K.A........AX..,.2...L.......GM.....gdt...e..#.`..f...BSJB............v4.0.30319......`.......#~..d... ...#Strings............#GUID...........#Blob......................3......................................P.........7...........P...........{.............................6...........p.......................W.....d...................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):80144
                                                                                                                                                                                                                                                                  Entropy (8bit):6.549870749231894
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:5Tc5R35Dx0ibqDo9suGxd1JARH7AWl7iLzn:5A5R3YHDo9gxd12KWl7M7
                                                                                                                                                                                                                                                                  MD5:217C90BF12B38AEDA557263C7AF4A306
                                                                                                                                                                                                                                                                  SHA1:56390B1AC126C7BD229EC1B221E7E78BCD35B92F
                                                                                                                                                                                                                                                                  SHA-256:31F5BB9877E0777AC208A34CB63CF97E4146BF9DDBBB0B8CB451633E7C543F9E
                                                                                                                                                                                                                                                                  SHA-512:E34AF975E3189846804F2716CDBCD6FFE8D06A6A1D41C9462DFF64DFB79642EE84C944A064E35AD94E9E65B10F0B33CF604928639586137F1F00551AEDD87D7B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a..........." .........................................................0.......Y....`...@......@............... ..................................d....*..\........)... ..$.......T...........................................................h...H............text...K........................... ..`.data...............................@....reloc..$.... ......................@..B............................................0.......................T.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........l.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...H.....0.0.0.0.0.4.b.0...:.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...J.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...T.h.r.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):351520
                                                                                                                                                                                                                                                                  Entropy (8bit):6.644714489495638
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:rEfCVr/c2WYI0De//sQMd2uAIgeUow53HIt:wf8r02WpMHenlK
                                                                                                                                                                                                                                                                  MD5:416F763F3F8A2F17177E2609FEEE284A
                                                                                                                                                                                                                                                                  SHA1:43B261CB27A461949CA6A9BC723696A6CB7A30BF
                                                                                                                                                                                                                                                                  SHA-256:C62C23429BEE731709EDA16E1986C9BD089B81989E82F9F61D532F815F8C732E
                                                                                                                                                                                                                                                                  SHA-512:A55B0B2B5196703127A0F36C00021064CCE170D428FD12EFFDA77B09D11932BBA3A92A9FBD8D3CD15F6088FEEF56A65D27E59EE87D4CED59318CF2F62C0CD849
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...y............." .........X...............................................P............`...@......@............... .......................................z...3...4.. )...@.......*..T...............................................................H............text...>........................... ..`.data....O.......P..................@....reloc.......@.......,..............@..B............................................0...........................L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...L.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.r.a.n.s.a.c.t.i.o.n.s...L.o.c.a.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...\.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15648
                                                                                                                                                                                                                                                                  Entropy (8bit):6.822499066467974
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:D2Cdc393WtyGWbjX6HRN7in9R9zrJRY0le5:D21JDrWS9zQ0l8
                                                                                                                                                                                                                                                                  MD5:A61FE4F1CF1323421CD72519E4526BC8
                                                                                                                                                                                                                                                                  SHA1:59A8697119DD4287022B2ED4C0513EA22F3BB29C
                                                                                                                                                                                                                                                                  SHA-256:0D8D708352C3B96D1AA193FFBD6F764A701EBFC979C700190494134E0E54F7B3
                                                                                                                                                                                                                                                                  SHA-512:6A565BE87005BEF075C7C6F0B13953794D52B861B5D40A74D3CCCA9A7813DE18195234827A83A4D38BFDB1CA64A712EA41A87A7A2A30023F45F624022A3DD4E0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...x............."!..0..............)... ........@.. ....................................`..................................)..K....@..h............... )...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................)......H........ ..,...................P .........................................fSc.....3..PM@...P@...L^...+............p.....u[.h.@o`.s.....m..~..2...E...zM...$.tl.No...Da.R...|.......R2...I.........BSJB............v4.0.30319......`...@...#~..........#Strings............#GUID...........#Blob......................3......................................]...............%...................C.....s...Q.z.....z.....z.....z...4.z.....z.....z.....z.....z...........i.................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):52896
                                                                                                                                                                                                                                                                  Entropy (8bit):6.684498329756475
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:ZZcxU+oWt5y4JSLFUA5JDHyFuc97Qk7Y32QttzX/XHXJREYcP+uLFClNP69zB:ZZN/iDALyFFQk7Y32OJPX7cP9piNuzB
                                                                                                                                                                                                                                                                  MD5:732613D07CF169180B7874BF3CA02EA8
                                                                                                                                                                                                                                                                  SHA1:0554B11B5E3C4A61823E9D7F74F71B0EA4A6678E
                                                                                                                                                                                                                                                                  SHA-256:6192CFA1614ECA1B992CFBA155FF9EF3D32C3A7F642912BBB502F0001DE246B5
                                                                                                                                                                                                                                                                  SHA-512:B60315B4C309A29C9E174A81464F528309155744FC170FD229A65ABEABAA1E035E2AFA7857D30BFD1586A80A1E15ED6807068C41154A32E3CD09E76BBE9ED93D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ......................................\!...........(..........8...T...............................................................H............text.............................. ..`.data...&...........................@....reloc..............................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...W.e.b...H.t.t.p.U.t.i.l.i.t.y.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16136
                                                                                                                                                                                                                                                                  Entropy (8bit):6.711582753143812
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:DEVND8hxWVwo9W7YA6VFHRN7gD2R9zza+t1fY:D+u+2FClsK9zZ1fY
                                                                                                                                                                                                                                                                  MD5:31AC4E4AAED9264FA20A5E21B3393F7E
                                                                                                                                                                                                                                                                  SHA1:52A0AC2D9D0A5C099F6B490A3CED86CD5D04A446
                                                                                                                                                                                                                                                                  SHA-256:12EC2E14354B9F25143D4A6FE3DF9ABE0EAC379918B85BD7532D10C30E30423F
                                                                                                                                                                                                                                                                  SHA-512:EB15E6A6F18E89A8D4094C01FBAAC5DDB837794AB598D7D4176F98B8B0E0F0581D60FBBA8C97F0373E9817C89F8193A3E0C57BA88EC69F88F8A929A09879690F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............z*... ...@....... ..............................wQ....`.................................%*..O....@..8................)...`......X)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................Y*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....0.......#US.4.......#GUID...D...D...#Blob............T.........3....................................................6.Y.....Y...X.F...y.......................$...........o.......................V.....l.................>.......Y.................@.....@.....@...).@...1.@...9.@...A.@...I.@...Q.@...Y.@...a.@...i.@...q.@...y.@.....@. ...@.....@...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16664
                                                                                                                                                                                                                                                                  Entropy (8bit):6.684087527310445
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:ClyaMtLx2vJWE2SW3W+WxNzx95jmHnhWgN7acWNCmyttuX01k9z3AOV8sQR:GyaMtF0JWE2SWmFX6HRN7nnSR9zdV8hR
                                                                                                                                                                                                                                                                  MD5:D4DC0B9D603E0AC51FA099E12261E82D
                                                                                                                                                                                                                                                                  SHA1:C9D7877F32BA92F1D63F35999A9270CFDFBA6FCC
                                                                                                                                                                                                                                                                  SHA-256:5798AB51F67A1731E67A8A356763CB5C02BDA618DD575AED51DC6272096BB218
                                                                                                                                                                                                                                                                  SHA-512:0F2999E1522ECD1EA45FE0BD2C1484C4A3E11E91D7E728D1358E7F9A2FE3B1144302A2DACCFFB0F97185F80C6E7F54A959D550F806E154FFB9E7C0B408A4B95C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5E..........." ..0..............,... ...@....... ....................................`..................................+..O....@..X................)...`.......+..T............................................ ............... ..H............text...4.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ..4....................*......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID.......@...#Blob............T.........3......................................................Q...&.Q.....>...q.......D.........m.....y.................P...................................4.............Q..... ...........8.....8.....8...).8...1.8...9.8...A.8...I.8...Q.8...Y.8...a.8...i.8...q.8...y.8.....8. ...8.....8...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16672
                                                                                                                                                                                                                                                                  Entropy (8bit):6.667070680792912
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:BhMvUCh9W1Y4WOArWxNzx95jmHnhWgN7agWUmMfKUSIX01k9z3ARqK:AL9W1Y4WOAEX6HRN79mW2IR9zoH
                                                                                                                                                                                                                                                                  MD5:19645202783866DF23C6D8746CE1196A
                                                                                                                                                                                                                                                                  SHA1:6D8293BA6B41247BA090E3ACB3AD98F4267AF44C
                                                                                                                                                                                                                                                                  SHA-256:E7065641210FAB4636FCC3B117E4E15A584838E71A4D0B3835D6378C78937465
                                                                                                                                                                                                                                                                  SHA-512:00A5FC30B4DDE85306BDDC509FD539F4C7A17C2A032EF65F620697C158D0A11DF5F06CF0FD1A6886B88D8EF7EB53321CE18B9ADFC5B6EE248291C09BDA411EE9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W..........." ..0..............,... ...@....... ....................................`..................................,..O....@..X............... )...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ......................(+......................................BSJB............v4.0.30319......l...l...#~......<...#Strings............#US.........#GUID...(.......#Blob............T.........3..........................................f...........+.....+.........K.......;.....z...d.....p.................G...................................+.......).....+.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):22176
                                                                                                                                                                                                                                                                  Entropy (8bit):6.352093179803691
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:P125qkxK67ex4FCRunW1wAWEYA6VFHRN7JtHNsAR9zqo:NKLmAWFCl3ts89zL
                                                                                                                                                                                                                                                                  MD5:FB77B8FA47F57C039EC3202C86752842
                                                                                                                                                                                                                                                                  SHA1:22138F3686EB4AE26D4B6212EC91B1441F918AE0
                                                                                                                                                                                                                                                                  SHA-256:0B8B80E022A7A6F46E61CC434658AFC00F72631E4303AC5FA2237DBA99925098
                                                                                                                                                                                                                                                                  SHA-512:9685C0BECDEB79531BD37A40A4C1F7FB230706AD88AD25F3A1E930D59408DA370D050707B47D4BEC72E8C4598C080C2E01E415E94DCC8E14ADA3F4ACD9E545D9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=............."!..0..$...........B... ........@.. ...............................J....`.................................LB..O....`...................(...........A..8............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........ ... ..................P ........................................Qm=........B.*.c.)J.......f.....V.GQ@.[....ZY~.<L.>..9..?...`.........s.}c.....x....ujz.As7...{......~l..q....j..F>....r.BSJB............v4.0.30319......`.......#~......8...#Strings............#GUID...(.......#Blob......................3............................................................G..... .......b.....i...f.....-.........................................[...............................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16664
                                                                                                                                                                                                                                                                  Entropy (8bit):6.7385136944866995
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:+rKxzzhLW7MfEqHWqWxNzx95jmHnhWgN7aoW3zAcZQZfKUSIX01k9z3ARq7fG7yu:+ezdLW7MfEqHW5X6HRN7l2IR9zoqG9
                                                                                                                                                                                                                                                                  MD5:618450D16A5E2A9E8892A0A08748115B
                                                                                                                                                                                                                                                                  SHA1:F282DDC839FEE8E157C8F9453B2C447CF2292E5A
                                                                                                                                                                                                                                                                  SHA-256:84537A54CCA9AA87F0246E71E75A77124C90B4602A979C111368848FD975B591
                                                                                                                                                                                                                                                                  SHA-512:8AB0AC9D1BC47D5378B70D38D8EC86B08EB1CC0FE9A1167BA3DC16CE49F1CEBE47D410A59A9F2A60F699773D0D745625C348744B3114300D03B6E0F507E77757
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{............" ..0..............-... ...@....... ..............................:^....`..................................-..O....@...................)...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l...x...#~..........#Strings............#US.........#GUID...........#Blob............T.........3..........................................p.........$.F.....F...r.....|.......<...............*...........]...........0.....M.....D.................s.....D.....x.F.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16144
                                                                                                                                                                                                                                                                  Entropy (8bit):6.768329397272433
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:RaxphW/vdWXpWjA6Kr4PFHnhWgN7agWacdhHssDX01k9z3AGWaEj:yphW/vdWXYA6VFHRN78dFDR9z7WPj
                                                                                                                                                                                                                                                                  MD5:D0EB97936EF83C560D6C32F8A01DD0B4
                                                                                                                                                                                                                                                                  SHA1:689484E237A3C1BF34DCBD30349EF026D25EB9E6
                                                                                                                                                                                                                                                                  SHA-256:E9E7AB3E5CE5993C393E1628A9390C3C676661FADD15B8AF18DF8F37D4E7F0D6
                                                                                                                                                                                                                                                                  SHA-512:C395BB74991B8C3F8590CF339920CF283A5887C8330B41FCB4C2AA958F25970CD67D037CFC5A20B291E8F088EF2580BBCB9AC641AA97A2E4DC965D6B4805DAC6
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8............"!..0..............+... ........@.. ..............................:.....`.................................L+..O....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................g8xv...a..M..!....(G.1a........../}\.fl".SJ.tz...U.a.........=.e\..|.....^f.....afq.y.......c<Ff.=...W..?.<G6....OP.]..mBSJB............v4.0.30319......`.......#~..l.......#Strings............#GUID...,.......#Blob......................3................................................L...............................8.....L...p.L.....L.....L.....L.....L.....L...l.L.....L.............................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18192
                                                                                                                                                                                                                                                                  Entropy (8bit):6.651913199525005
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:MW0aeWJ4nTLVGQYA6VFHRN7NN/7R9zCMZ:3J4nPlFCljF9zL
                                                                                                                                                                                                                                                                  MD5:0059E13D67A0A703782F6761903F9993
                                                                                                                                                                                                                                                                  SHA1:F278429223A4993D3757465A5CDEB11679708C03
                                                                                                                                                                                                                                                                  SHA-256:186782FBF3EEE0E17A95D06769548771B62252BDC412BE8F83A582D091A8DBD6
                                                                                                                                                                                                                                                                  SHA-512:CDDBBBC503FA1C2D98C267CDC1A31ED052A8E5AE870924ECDE9408D044F571C9F701FE85E2DB7AEF5005B6B262F8BCBE08DF00D2E35BCAC25361987E362E6A3C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...y{............" .........................................................P............`...@......@............... ......................................0...H........)...@......P...T...............................................................H............text............................... ..`.data...?....0......................@....reloc.......@......................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.................^.........#.?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...N.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...X.m.l...X.P.a.t.h...X.D.o.c.u.m.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...^.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):18208
                                                                                                                                                                                                                                                                  Entropy (8bit):6.62112689223517
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:JmiLgTJNTDxhkcWplvW5MWxNzx95jmHnhWgN7agW5wIAgfcMbnoQNpX01k9z3Abg:Yi8rdhbWplvW5TX6HRN7xI/7R9zCng
                                                                                                                                                                                                                                                                  MD5:AC8C00A6747DE5226C137D208C4F182B
                                                                                                                                                                                                                                                                  SHA1:215E2563CA1AE5FDD1DFABCDA2D4281451C37A03
                                                                                                                                                                                                                                                                  SHA-256:55F9EDDE671BB0B598826186B23DC864753770B65F7EBE53D3AC3D86512A1B3A
                                                                                                                                                                                                                                                                  SHA-512:31149C242D6E3CB429E9E3F84C4DE13782C82788D189217ABCFE9A058D7CEE871B8B682D49531D912F6F58DE325136BBA1C073FF1D3F5E14E56ADBFEA57E761C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.y..........."!..0..............3... ........@.. ...............................E....`..................................2..W....@.................. )...`...... 2..8............................................ ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................3......H........ ..P...................P ........................................{...m`.."n....v.......X....#h.V.c....^.U.d..n..5..-]...d......T......2|4A....G.6.....\;./.3.-.}.....,....06ph.QG..o..BSJB............v4.0.30319......`.......#~..(...p...#Strings............#GUID...........#Blob......................3................................J.................................+.....F...........N.....H.........................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):24736
                                                                                                                                                                                                                                                                  Entropy (8bit):6.196087974091141
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:qV/Mc95qohA8bhUVGdOQgWKwjsWlYA6VFHRN721DX+iR9zZjES:qV0chOkrFCl+DuO9z9ES
                                                                                                                                                                                                                                                                  MD5:FD9D85F47840B07B63FAC3C7B1A67ACF
                                                                                                                                                                                                                                                                  SHA1:09B9728960F9A81B3D67B3F1D9E6E19C0247014E
                                                                                                                                                                                                                                                                  SHA-256:D563E81C9FEEEF2C1E30A1DB45C95A3CE2A1BC18693CE30289E466D6E1ABC9D2
                                                                                                                                                                                                                                                                  SHA-512:FA1F20E27EA6A51EEDE46C418792790925E16CC752155B72412312A4A14DEDFCCF1F032C42A7A17B298B8DA5B6FE98DCCC43C062C41C4786EBEC01340FDF12D8
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............L... ...`....... ....................................`..................................K..O....`..8............8...(...........J..T............................................ ............... ..H............text....,... ...................... ..`.rsrc...8....`.......0..............@..@.reloc...............6..............@..B.................K......H.......P ...*..................lJ......................................BSJB............v4.0.30319......l...@...#~..........#Strings....L'......#US.P'......#GUID...`'......#Blob............T.........3..........................................P............... .................k.....H...........S.................G...................................+.....m.S...0...................x.....x.....x...).x...1.x...9.x...A.x...I.x...Q.x...Y.x...a.x...i.x...q.x...y.x.....x. ...x.....x...

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):50960
                                                                                                                                                                                                                                                                  Entropy (8bit):5.747090092923577
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:eQuoy1c6A2ZX8TRNH5JVbOd502zq1TntVBFFClwl9zx:eQuoO3ZX8Q5jzC3BTiw3zx
                                                                                                                                                                                                                                                                  MD5:C4B42F4015DB97630DAC03F6B12EA124
                                                                                                                                                                                                                                                                  SHA1:C1ECEAE6CB9C4F6E39F4F582052E3824DB2A5323
                                                                                                                                                                                                                                                                  SHA-256:A0CAE7A8FF1A44A04215B2FEE19D73B6D9351A7DCEAF17E25D8DC72E5D0A5D60
                                                                                                                                                                                                                                                                  SHA-512:C75AC92E9F72D016BEDC60AB2FD49C3E21C4C8AE44665FA80613AEEF1A669191F1182EBBEAEF9EDA76A77980930BAE4E5DF238D9CE47689AF781092C298D6CD1
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../&K..........." ..0.................. ........... ....................................`.....................................O........................).............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......P ......................`.......................................BSJB............v4.0.30319......l...$;..#~...;...R..#Strings....4.......#US.8.......#GUID...H.......#Blob............T.........3................................/......................=.....=....J=...=......V...}.....h.. ..... ..... ..J.. ..... ..... ..... ..1.. ..j.. .., AF..a.AF.....R..e..=.................;.....;.....;..)..;..1..;..9..;..A..;..I..;..Q..;..Y..;..a..;..i..;..q..;..y..;.....; ....;.....;..

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17160
                                                                                                                                                                                                                                                                  Entropy (8bit):6.687937690598966
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:vpmduasEWQ+E9ZRWVEcWWUYA6VFHRN7rpR9z+ptz/nk:v0dJnP8UFClrD9zWZ/k
                                                                                                                                                                                                                                                                  MD5:843DB412D5B8F71F10EDD73561B4804B
                                                                                                                                                                                                                                                                  SHA1:C33B33AD7A29C9E981A049B1DA3E6A793F5CE034
                                                                                                                                                                                                                                                                  SHA-256:AF02BFB85E43E968B8095065809715D40039841AA1CAAACFEACB9A303C35F93A
                                                                                                                                                                                                                                                                  SHA-512:AADD18D36BAF1D40309B2B3D128D770AEC298A7F0498C17D5BEFB85ACD32650547D2FB6CA58134221A335DFADBFE1C4B925C14A65A2D971E8F58442EE59013ED
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0............../... ...@....... ..............................c.....`.....................................O....@..8................)...`.......-..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p-......................................BSJB............v4.0.30319......l.......#~..$.......#Strings............#US.........#GUID.......D...#Blob............T.........3..........................................f.........3.................'.....0.......v.....................l...........I.....f.....S.............i.....i................. ...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.459775574843526
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:SOQWvhW/WYnO/VWQ4SWc0NsxZAqnajT9CJIC:SjWvhWvUsNs/Al39AL
                                                                                                                                                                                                                                                                  MD5:681C84FB102B5761477D8DA2D68CD834
                                                                                                                                                                                                                                                                  SHA1:FD96CF075A956FBC2B74E1ECC3E7958163B58832
                                                                                                                                                                                                                                                                  SHA-256:F0F7CB2A9FFCCB43400DB88D6BF99F2FCC3161DE1AC96C48501D4D522C48C2CA
                                                                                                                                                                                                                                                                  SHA-512:C41A62F8D10290215B8A7F0DDCC27A1CF12A7453C2DAABEF75BD2CE87C4FFC87D74EDC8CAA1771BEDA0BFA26249CFE3C94D4AF50B22A5DECB6D282BD8A2C4BDD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...B4............" .........0...............................................@............`A........................................p...,............0...............0...!..............p............................................................................rdata..t...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20960
                                                                                                                                                                                                                                                                  Entropy (8bit):4.499619700582879
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:L6WvhWFWYnO/VWQ4SWssAtkqnaj6M07i5CK:+WvhW1UslWMui57
                                                                                                                                                                                                                                                                  MD5:039D612693E56CCF32AE81C99443EA77
                                                                                                                                                                                                                                                                  SHA1:0487AA5E7D283A8840F3005D1E24E8C9ED140974
                                                                                                                                                                                                                                                                  SHA-256:4E978EE035B72032D0B7693E09EED6E112DCED6965780BC3E6B8E024EA2366AB
                                                                                                                                                                                                                                                                  SHA-512:FFA56C73E977FFCEF7890AB6C3EC52E9827AF28B0552F11C48BB7CA16D37C2B7069FB7E03CEFB89F8679E3755BCC8C47344D0D9B91416C6D92CA7DB28C20240A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....=.........." .........0...............................................@...........`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20952
                                                                                                                                                                                                                                                                  Entropy (8bit):4.308560743366262
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:1WvhW/WYnO/VWQ4yWxK2fvXqnajeCqN+6:1WvhWvU8XlX0
                                                                                                                                                                                                                                                                  MD5:2A8065DC6E6E60FB90B4B3F9E6BA7288
                                                                                                                                                                                                                                                                  SHA1:400A1F44CD4354DEA0117E79EC04B006D6141B36
                                                                                                                                                                                                                                                                  SHA-256:55E5F10D0DD9C85FF1C6DC7798E46B3A4422FB7EBC583BB00D06A7DF2494397B
                                                                                                                                                                                                                                                                  SHA-512:787E033E35AA357263639D97FDFE8A2EBC9F17865579BE13C14C0A4C2ED99432ED8EA79C5046D1B4B783BF5FCF7B713EFDD70FCA8445A7AFCB91CFDDC7F9D442
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...FBe..........." .........0...............................................@.......,....`A........................................p................0...............0...!..............p............................................................................rdata..X...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.314779945585029
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:JWvhWiWYnO/VWQ4mWAyTIl1PXEKup3JdqnajKsztG2:JWvhWYUQI/PX7aJdlGsztG2
                                                                                                                                                                                                                                                                  MD5:720DB2235C4193151FF8987F8A729135
                                                                                                                                                                                                                                                                  SHA1:038648798892203B506AB4664BAECA25F78BC43C
                                                                                                                                                                                                                                                                  SHA-256:092B72832C47F9C4EDCDE61F1A111C20EB73452984E0A6109482DE74EB03C34D
                                                                                                                                                                                                                                                                  SHA-512:CAAC89DC4FE10E7752B6F248623B34A47A77A750E62F0A558C760A8AD672D980AFC966A9E5696BA5C916E722FD221D305C4D2C49D5DDA0E4A768855886D4F3CA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...@4............" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25048
                                                                                                                                                                                                                                                                  Entropy (8bit):4.628757275210407
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:1mtaNYPvVX8rFTsvWvhWmWYnO/VWQ4yW9AfvXqnajeCqKW:8PvVXhWvhWMU7XlX7W
                                                                                                                                                                                                                                                                  MD5:36277B52C64CC66216751AAD135528F9
                                                                                                                                                                                                                                                                  SHA1:F2A6740BA149A83E4E58E1E331429FA3EB44FBA0
                                                                                                                                                                                                                                                                  SHA-256:F353B6C2DF7AADB457263A02BCE59C44BBAB55F98AE6509674CFBC3751F761B9
                                                                                                                                                                                                                                                                  SHA-512:BE729194A0A3C4D70A6FFA8DE5C7F8BB3DDA1F54772F9AEFF4B9AA1D6756720D149613C5DCB911286B6C0181A264A4A2A8A4EB848C09AC30BA60B6FD10DD64C9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...!..e.........." .........@...............................................P............`A........................................p................@...............@...!..............p............................................................................rdata..L........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20960
                                                                                                                                                                                                                                                                  Entropy (8bit):4.328858083322922
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:IAIEWvhWLIQWYnO/VWQ4eWletp80Hy5qnajsBk9:I5EWvhWLI+UJpslE8
                                                                                                                                                                                                                                                                  MD5:D92E6A007FC22A1E218552EBFB65DA93
                                                                                                                                                                                                                                                                  SHA1:3C9909332E94F7B7386664A90F52730F4027A75A
                                                                                                                                                                                                                                                                  SHA-256:03BD3217EAE0EF68521B39556E7491292DB540F615DA873DD8DA538693B81862
                                                                                                                                                                                                                                                                  SHA-512:B8B0E6052E68C08E558E72C168E4FF318B1907C4DC5FC1CD1104F5CAE7CC418293013DABBB30C835A5C35A456E1CB22CC352B7AE40F82B9B7311BB7419D854C7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@......p.....`A........................................p...L............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20960
                                                                                                                                                                                                                                                                  Entropy (8bit):4.41968362445382
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:lC+WvhWRWYnO/VWQ4SWHvD480Hy5qnajsBkffy2:4+WvhWRUGEslECl
                                                                                                                                                                                                                                                                  MD5:50ABF0A7EE67F00F247BADA185A7661C
                                                                                                                                                                                                                                                                  SHA1:0CDDAC9AC4DB3BF10A11D4B79085EF9CB3FB84A1
                                                                                                                                                                                                                                                                  SHA-256:F957A4C261506484B53534A9BE8931C02EC1A349B3F431A858F8215CECFEC3F7
                                                                                                                                                                                                                                                                  SHA-512:C2694BB5D103BAFF1264926A04D2F0FE156B8815A23C3748412A81CC307B71A9236A0E974B5549321014065E393D10228A0F0004DF9BA677F03B5D244A64B528
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....mR.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.368970650031484
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:ODWvhWJWYnO/VWQ4mWbAcH2vArqnajKsbTY3:ODWvhWJUrcH24rlGsbTY3
                                                                                                                                                                                                                                                                  MD5:215E3FA11BE60FEAAE8BD5883C8582F3
                                                                                                                                                                                                                                                                  SHA1:F5BF8B29FA5C7C177DFEC0DE68927077E160C9AB
                                                                                                                                                                                                                                                                  SHA-256:FBB9032835D0D564F2F53BBC4192F8A732131B8A89F52F5EF3FF0DAA2F71465F
                                                                                                                                                                                                                                                                  SHA-512:C555698F9641AF74B4C5BB4CA6385B8D69D5A3D5D48504E42B0C0EB8F65990C96093687BC7EE818AA9C24432247AFAD7DF3BF086010A2EFCD3A1010B2FCD6A31
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@......5.....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.601897142725442
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:pTvuBL3BBLxWvhWcWYnO/VWQ4mW74j21EhqnajKsxX+:pTvuBL3BXWvhWKUBqslGsxu
                                                                                                                                                                                                                                                                  MD5:9A8AB7FE8C4CC7604DFF1FBFA57458AA
                                                                                                                                                                                                                                                                  SHA1:68ED7B6B5191F53B50D6A1A13513DB780AB19211
                                                                                                                                                                                                                                                                  SHA-256:E9A3D7F8A08AB5BC94ACB1EC1BFFDA90469FEC3B7EECDF7CF5408F3E3682D527
                                                                                                                                                                                                                                                                  SHA-512:05DAEABBCDE867E63FDE952213FFF42AF05E70AE72643C97060A90DCEA2A88B75947B6F503CB2C33938AFE36AD1BAFBA5008C1BBE839F6498CDA27DA549DAEE9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...P.1..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20960
                                                                                                                                                                                                                                                                  Entropy (8bit):5.116096564588074
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:6naOMw3zdp3bwjGzue9/0jCRrndbDWvhWfUCBoliM:POMwBprwjGzue9/0jCRrndbwIJY
                                                                                                                                                                                                                                                                  MD5:DE5695F26A0BCB54F59A8BC3F9A4ECEF
                                                                                                                                                                                                                                                                  SHA1:99C32595F3EDC2C58BDB138C3384194831E901D6
                                                                                                                                                                                                                                                                  SHA-256:E9539FCE90AD8BE582B25AB2D5645772C2A5FB195E602ECDBF12B980656E436A
                                                                                                                                                                                                                                                                  SHA-512:DF635D5D51CDEA24885AE9F0406F317DDCF04ECB6BFA26579BB2E256C457057607844DED4B52FF1F5CA25ABE29D1EB2B20F1709CF19035D3829F36BBE31F550F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....3..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.483681194749599
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:WqfWvhWoWYnO/VWQ4mWKNe4XEKup3JdqnajKsztPO/B:WGWvhWWU9X7aJdlGsztP2
                                                                                                                                                                                                                                                                  MD5:7DDDA921E16582B138A9E7DE445782A0
                                                                                                                                                                                                                                                                  SHA1:9B2D0080EDA4BA86A69B2C797D2AFC26B500B2D3
                                                                                                                                                                                                                                                                  SHA-256:EF77B3E4FDFF944F92908B6FEB9256A902588F0CF1C19EB9BF063BB6542ABFFF
                                                                                                                                                                                                                                                                  SHA-512:C2F4A5505F8D35FBDD7B2ECA641B9ECFCB31FE410B64FDE990D57B1F8FD932DFF3754D9E38F87DB51A75E49536B4B6263D8390C7F0A5E95556592F2726B2E418
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...dIx..........." .........0...............................................@.......:....`A........................................p...l............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20960
                                                                                                                                                                                                                                                                  Entropy (8bit):4.417647805455514
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:RWvhW0WYnO/VWQ4SWKeE+Ztc80Hy5qnajsBkUqS:RWvhWiUxslE5qS
                                                                                                                                                                                                                                                                  MD5:BF622378D051DB49BDC62ACA9DDF6451
                                                                                                                                                                                                                                                                  SHA1:EFD8445656A0688E5A8F20243C2419984BB7743E
                                                                                                                                                                                                                                                                  SHA-256:0BFEDB0D28E41E70BF9E4DA11E83F3A94C2191B5CD5DD45D9E9D439673B830CE
                                                                                                                                                                                                                                                                  SHA-512:DF32D34C81FDE6EEF83A613CE4F153A7945EECFB1EC936AC6ED674654A4E167EC5E5436185B8064177F5F9273D387CA226C3C9529591180250A9C5C581EC6F70
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....2............" .........0...............................................@.......p....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.6126507489483375
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:qF3qWvhWQWYnO/VWQ4SWL7JJsxZAqnajT9CgsLam:qF6WvhW+UA7s/Al39wR
                                                                                                                                                                                                                                                                  MD5:A56E3E2AA6398CCB355C7CDE81CCB6E5
                                                                                                                                                                                                                                                                  SHA1:A26273DD41DB7B63D3A79ACF6F4F3CF0381A8F02
                                                                                                                                                                                                                                                                  SHA-256:25AF1BC31C4A3FB9F1036C9AA51CB0AE8899C499B3EEF4CF7281515C1EA27B47
                                                                                                                                                                                                                                                                  SHA-512:3D5CEC9E5B42724794282974F637B1FDA8C26ADF01ED19DD2EC4F940E01CD43BDC42E46DC3E62704E62553DE96D3FEA1616C9650AF73CDB557DFCA1B52051A64
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.513848472591714
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:pwQpUwzDfIeOWvhW9WYnO/VWQ4+WWXtplsxZAqnajT9CGl:pZDfIeOWvhWNUFbls/Al39Hl
                                                                                                                                                                                                                                                                  MD5:74C264CFFC09D183FCB1555B16EA7E4B
                                                                                                                                                                                                                                                                  SHA1:0B5B08CDF6E749B48254AC811CA09BA95473D47C
                                                                                                                                                                                                                                                                  SHA-256:A8E2FC077D9A7D2FAA85E1E6833047C90B22C6086487B98FC0E6A86B7BF8BF09
                                                                                                                                                                                                                                                                  SHA-512:285AFBCC39717510CED2ED096D9F77FC438268ECAA59CFF3CF167FCC538E90C73C67652046B0EE379E0507D6E346AF79D43C51A571C6DD66034F9385A73D00D1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...%p_W.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..,...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20960
                                                                                                                                                                                                                                                                  Entropy (8bit):4.469567491280211
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:aGeVTg6WvhWGWYnO/VWQ4SWupBd80Hy5qnajsBkt2NjY:aGeVTg6WvhWsUldslE8+Y
                                                                                                                                                                                                                                                                  MD5:6397D5CC116D884D31552F613F748556
                                                                                                                                                                                                                                                                  SHA1:B76B19FE4D3D5D26D2DEE1983D384E26D961180E
                                                                                                                                                                                                                                                                  SHA-256:40EB38D84DFD13C8A58211B8273C4B4965148742F08EB6FE8B0830392C37ABC1
                                                                                                                                                                                                                                                                  SHA-512:4449DA9BAA3F722EB274AC527125F5918A17BC94B243849A0A44F3463E35F368339A58A6AA1E08B83D54D13538C0D52BFCB452A48B8B9A52961BF136256D220E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....C}.........." .........0...............................................@.......T....`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20960
                                                                                                                                                                                                                                                                  Entropy (8bit):4.375396134710155
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:v0yyMvJWvhW4WYnO/VWQ4SWQwwV80Hy5qnajsBkrfFIf:zyMvJWvhWmUAIslEAfFI
                                                                                                                                                                                                                                                                  MD5:D2D7458AB838E738B54FB4D6FA490BF6
                                                                                                                                                                                                                                                                  SHA1:0CFC5659B23A35C987B96CABBC0D10325316385D
                                                                                                                                                                                                                                                                  SHA-256:285A481D7BA9859CC28BEDEDD8F05A90BD648A34D66B8C797118920B40E15E4E
                                                                                                                                                                                                                                                                  SHA-512:62E0ABB2E59D360D6A066E73289AA1B880E7C1A0B7E6C695F40B1E0F2CB11DEB9E54DEBA4045D2454B911AF109EC198F11073874A8F023EB1B71A16A74354A1E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....%fN.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..<...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.889960536352825
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:lQMwidv3V0dfpkXc0vVaLnWvhWTULrX7aJdlGsztzO1:xHdv3VqpkXc0vVagQ2L7aJGqO1
                                                                                                                                                                                                                                                                  MD5:255B18FE8AB465C87FB8AD20D9A63AAC
                                                                                                                                                                                                                                                                  SHA1:645823B0332ADDABA5E4EF40D421B2DA432FDA5E
                                                                                                                                                                                                                                                                  SHA-256:E050E1BFBB75A278412380C912266225C3DEE15031468DAE2F6B77FF0617AA91
                                                                                                                                                                                                                                                                  SHA-512:19244B084AC811B89E0E6A77F9308D20CF4FBB77621D34EEDC19FCD5C8775A33B2D9ADA3F408CBE5806C39745B30C1C1CC25D724DB9377B437D771AE0BF440B1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....>F..........." .........0...............................................@......Re....`A........................................p...X............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.557349562243787
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:ctZ3ZtIWvhW9NWYnO/VWQ4SWndusxZAqnajT9CMCz4:ctZ3wWvhW9dUds/Al39pCz4
                                                                                                                                                                                                                                                                  MD5:0A2432A420640A79FAAFF044AB054EF6
                                                                                                                                                                                                                                                                  SHA1:15688BF3C9330309EC5EA602C0AD5AF1FD68BC30
                                                                                                                                                                                                                                                                  SHA-256:9DFD114E4182662A669A3B9054DD2A24D96DD66ED96A8B2AC05601928B2084D5
                                                                                                                                                                                                                                                                  SHA-512:090D6D5046AEFE9006B319FC3F9740426BC93E50CF262CE65857449891CA69D2A235421CFEA3FB178D3F8B1E3F640B8678AA9D8F6E67B8A17985913BEBFB3FDD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.617444368323971
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:UgdKIMFemVWvhWNWYnO/VWQ4mWY1tcQIj21EhqnajKsxN:JH0WvhWdUDIqslGsxN
                                                                                                                                                                                                                                                                  MD5:E1A7B1F8CDB24324D0E44B0078DB8BD1
                                                                                                                                                                                                                                                                  SHA1:B6C2FE32AE5FA1398F7AE6245C405378E32A7897
                                                                                                                                                                                                                                                                  SHA-256:45D4F1E398E4CC73FD1AAAD80219D2A9D3205A228167C819EB6787D7B01FC186
                                                                                                                                                                                                                                                                  SHA-512:144AFE1CB812DE93FBDD08658AFEB4C95480A8E504C5DCF909FF226400CA2D0F48395CF71954FBD1B3DD93A49CBA39EC0DB3FC34A05804C93FD9A48B0A1749CA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@.......A....`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.549935038939539
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:+cWvhWoWYnO/VWQ4mWRhXEKup3JdqnajKsztzy:+cWvhWWUqX7aJdlGsztzy
                                                                                                                                                                                                                                                                  MD5:CB39EEA2EF9ED3674C597D5F0667B5B4
                                                                                                                                                                                                                                                                  SHA1:C133DC6416B3346FA5B0F449D7CC6F7DBF580432
                                                                                                                                                                                                                                                                  SHA-256:1627B921934053F1F7D2A19948AEE06FAC5DB8EE8D4182E6F071718D0681F235
                                                                                                                                                                                                                                                                  SHA-512:2C65014DC045A2C1E5F52F3FEA4967D2169E4A78D41FE56617CE9A4D5B30EBF25043112917FF3D7D152744DDEF70475937AE0A7F96785F97DCEFAFE8E6F14D9C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.319450964936577
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:MPWvhWRWYnO/VWQ4SWiIsxZAqnajT9CDH:yWvhWRUCs/Al39OH
                                                                                                                                                                                                                                                                  MD5:5B6C46F42ED6800C54EEB9D12156CE1F
                                                                                                                                                                                                                                                                  SHA1:66CE7A59B82702875D3E7F5B7CF8054D75FF495F
                                                                                                                                                                                                                                                                  SHA-256:2631CADCE7F97B9A9E6DF4E88F00F5A43EF73B070EE024ED71F0B447A387FF2F
                                                                                                                                                                                                                                                                  SHA-512:38FF6745BB5597A871B67AA53FCC8426BC2CDD16B6497A0EB7B59C21D8716F1ABB1F7C7A40A121AD1BD67B5490FEF5CF82EE8FD0BF848F27DCA27FC5D25DEC61
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......#.........." .........0...............................................@...........`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.6478341719136145
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:y0WvhW3WYnO/VWQ4mW8iTH2vArqnajKsbTYk:FWvhWnUIH24rlGsbTYk
                                                                                                                                                                                                                                                                  MD5:A68D15CAB300774D2A20A986EE57F9F4
                                                                                                                                                                                                                                                                  SHA1:BB69665B3C8714D935EE63791181491B819795CB
                                                                                                                                                                                                                                                                  SHA-256:966DDBF59E1D6C2A80B8ABBF4A30D37475DE097BF13FB72BA78684D65975CD97
                                                                                                                                                                                                                                                                  SHA-512:AC040F92560631CA5162C7559173BDFE858E282225967AB1ADC0A038D34943B00DB140D44319CD2CDC2864295A098AB0BA634DFAA443E1D1782FA143AE4C217D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...8.?;.........." .........0...............................................@......5.....`A........................................P................0...............0...!..............p............................................................................rdata..@...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.454858890873412
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:PLGju+OXWvhW+eWYnO/VWQ4mWPiNbj21EhqnajKsxy:PLGjuJWvhWFUztqslGsxy
                                                                                                                                                                                                                                                                  MD5:DACF383A06480CA5AB70D7156AECAB43
                                                                                                                                                                                                                                                                  SHA1:9E48D096C2E81A7D979F3C6B94315671157206A1
                                                                                                                                                                                                                                                                  SHA-256:00F84C438AAB40500A2F2DF22C7A4EC147A50509C8D0CDAC6A83E4269E387478
                                                                                                                                                                                                                                                                  SHA-512:5D4146A669DDB963CF677257EC7865E2CFCB7960E41A38BBD60F9A7017474ED2F3291505FA407E25881CBF9E5E6B8055FF3BD891043284A0A04E3FE9CFAD9817
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................." .........0...............................................@......w.....`A........................................P..."............0...............0...!..............p............................................................................rdata..r...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.950541424159939
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:RSnWlC0i5CtWvhWJKWYnO/VWQ4SWuMasxZAqnajT9CQMDt:RSnWm5CtWvhWWUyas/Al39ODt
                                                                                                                                                                                                                                                                  MD5:D725D87A331E3073BF289D4EC85BD04D
                                                                                                                                                                                                                                                                  SHA1:C9D36103BE794A802957D0A8243B066FA22F2E43
                                                                                                                                                                                                                                                                  SHA-256:30BCF934CBCC9ED72FF364B6E352A70A9E2AFA46ECEADEA5C47183CB46CFD16E
                                                                                                                                                                                                                                                                  SHA-512:6713FF954221C5DD835C15556E5FA6B8684FA7E19CE4F527A5892E77F322B3DAE7199A232040B89AD4A9575C8D9788D771892D2294F3C18DA45E643EB25FDB08
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):4.591111522505104
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:PUFY17aFBRIWvhWrWYnO/VWQ4mWCJH2vArqnajKsbTYxj:8Q1WvhWLUrH24rlGsbTY5
                                                                                                                                                                                                                                                                  MD5:9151E83B4FDFA88353B7A97AE7792678
                                                                                                                                                                                                                                                                  SHA1:B46152E70D5D3D75D61D4CCDB50403BD08BB9354
                                                                                                                                                                                                                                                                  SHA-256:6C0E0D22B65329F4948FCF36C8048A54CCCCBF6C05B330B2C1A686F3E686EED0
                                                                                                                                                                                                                                                                  SHA-512:4D4210474957E656D821E1DC5934A4BFBF7E73DD61D696A1AB39914F887810C8FBE500DBB1E23782B40807F25820F35C9665E04DCDC2FD0F6C83046A4AECB86B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...G..d.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..f...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):29144
                                                                                                                                                                                                                                                                  Entropy (8bit):4.946641263598223
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:MQM4Oe59Ckb1hgmLJWvhWdUN8HOhlxAnY:rMq59Bb1jeanOunY
                                                                                                                                                                                                                                                                  MD5:7A235962DBAB1E807C6EC7609FC76077
                                                                                                                                                                                                                                                                  SHA1:148DDD11A0D366313F75871007057B3F0485AB33
                                                                                                                                                                                                                                                                  SHA-256:F7C5D7394643C95FE14C07773A8A206E74A28DB125F9B3976F9E1C8C599F2AF1
                                                                                                                                                                                                                                                                  SHA-512:25B21EE7BB333E5E34D2B4A32D631A50B8FFAF1F1320D47C97C2A4DFF59FA2A2703CDF30638B46C800D3150EFAA4A2518C55E7B2A3B2E4273F43DD5CA83AE940
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...J..R.........." .........P...............................................`............`A........................................P....%...........P...............P...!..............p............................................................................rdata...&.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):29136
                                                                                                                                                                                                                                                                  Entropy (8bit):4.764408242494898
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:VA/kPLPmIHJI6/CpG3t2G3t4odXLJWvhWSUwlmX7aJdlGszti:y/kjPmIHJI6AFc7aJGT
                                                                                                                                                                                                                                                                  MD5:B3B4A0F3FCE120318E71DE3AFB6BB1AA
                                                                                                                                                                                                                                                                  SHA1:D3349409EC717F942769BA67FECA40557C1423D0
                                                                                                                                                                                                                                                                  SHA-256:A38E6786DC8EC6D2717343DBE00BB2FDDA008D87935BBD9371AE94E7E004270B
                                                                                                                                                                                                                                                                  SHA-512:4A130674DDBB05949665F6F7A070B25E82C34047D1E62EC60C73F815CED39A9041D972BE4E8C505F9B13C5BCDC114F3479BF8D69D7D9CF9987D39A6F5DB7F560
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....T............" .........P...............................................`............`A........................................P.... ...........P...............P...!..............p............................................................................rdata..D".......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):74192
                                                                                                                                                                                                                                                                  Entropy (8bit):5.1227875842071615
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:LLraHgDe5c4bFe2JyhcvxXWpD7d3334BkZnjPgB/P5W:baHgDe5c4bFe2JyhcvxXWpD7d3334Bkb
                                                                                                                                                                                                                                                                  MD5:7033AB91EA4F0593E4D6009D549E560F
                                                                                                                                                                                                                                                                  SHA1:4951CE111CA56994D007A9714A78CDADEEB0DACF
                                                                                                                                                                                                                                                                  SHA-256:BE7901AA1FACEA8E1FD74A62BDE54CC3BD8E898B52E76FABB70342B160989B80
                                                                                                                                                                                                                                                                  SHA-512:8BC3B880E31EBE3BC438A24D2AF249C95E320AC3C7A501027EF634F55AAB6FAC4F6D1090A00C29A44657A34EBADCD62023F2E947D31C192072698B645F8651ED
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....+..........." ................................................................e.....`A........................................P....................................!..............p............................................................................rdata..............................@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25040
                                                                                                                                                                                                                                                                  Entropy (8bit):4.795732177662406
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:oHUW9MPrpJhhf4AN5/KiZWvhWMWYnO/VWQ4mWLz8Y5H2vArqnajKsbTYCkI:oHUZr7PWvhW6UeH24rlGsbTYCx
                                                                                                                                                                                                                                                                  MD5:27C4A3BCC0F1DBA2DE4C2242CD489F3B
                                                                                                                                                                                                                                                                  SHA1:A704FD91E3C67108B1F02FD5E9F1223C7154A9CC
                                                                                                                                                                                                                                                                  SHA-256:315DED39D9E157CEC05D83711C09858C23602857C9D8C88BEEF121C24C43BE84
                                                                                                                                                                                                                                                                  SHA-512:793E74DFB1052C06AB4C29E7B622C795CC3122A722382B103940B94E9DAC1E6CA8039DF48C558EFCC5D952A0660393AE2B11CED5ADE4DC8D5DD31A9F5BB9F807
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...4{.+.........." .........@...............................................P............`A........................................P...4............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25040
                                                                                                                                                                                                                                                                  Entropy (8bit):5.082770273323341
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:DA2uWYFxEpahrWvhW/nWYnO/VWQ4mWSmRkH2vArqnajKsbTYMlBzK:DIFVhrWvhWfUERkH24rlGsbTYx
                                                                                                                                                                                                                                                                  MD5:306608A878089CB38602AF693BA0485B
                                                                                                                                                                                                                                                                  SHA1:59753556F471C5BF1DFEF46806CB02CF87590C5C
                                                                                                                                                                                                                                                                  SHA-256:3B59A50457F6B6EAA6D35E42722D4562E88BCD716BAE113BE1271EAD0FEB7AF3
                                                                                                                                                                                                                                                                  SHA-512:21B626E619AAF4EDA861A9C5EDF02133C63ADC9E893F38FEDE72D90A6E8BE0E566C117A8A24CA4BAB77928083AE4A859034417B035E8553CC7CCFB88CB4CBD9C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...+b............" .........@...............................................P......'l....`A........................................P...a............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20944
                                                                                                                                                                                                                                                                  Entropy (8bit):5.000234308172749
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:SNDKWvhW/WYnO/VWQ4mWVx2RoXEKup3JdqnajKsztg/J:RWvhWvUexqoX7aJdlGsztgx
                                                                                                                                                                                                                                                                  MD5:4CF70855444F38E1EB71F9C3CD1C6E86
                                                                                                                                                                                                                                                                  SHA1:D06AEC4008D397756EE841F0E7A435D1C05B5F07
                                                                                                                                                                                                                                                                  SHA-256:A409E25A9D3C252CC0A5AF9DF85D3733E946087B06CD1FB2CF1BF640EB0D49BA
                                                                                                                                                                                                                                                                  SHA-512:A13A80645E679343AC5638E8AA6A03012F16200CB3A4637BE52A01AA3BEF854324A8ED1882CA91B304B9C47B6351B1FC1671F4DEDE5BE77BC208A71FE6029064
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....p..........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):304912
                                                                                                                                                                                                                                                                  Entropy (8bit):4.237308620636253
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:sQX9Xit++0PJSKtOJsgI3mwNdmLZ8mTQfsqxs0w:X9xacWIfsq6T
                                                                                                                                                                                                                                                                  MD5:7A6F920B2A26507F381C9926FF3955E9
                                                                                                                                                                                                                                                                  SHA1:3ACB49A2097FDC6DAB19D855CC9E926CEF2CC991
                                                                                                                                                                                                                                                                  SHA-256:ACC3E8888821897CFA2175C1B6FA244D3F8F3B9C19C7D10D13ABB2B5DBF0BD31
                                                                                                                                                                                                                                                                  SHA-512:300056DAF903C41155A9CC21FA50580F5730978B052BA3E1437DFFE21BA4BF8B85DD56BE64C4DAC38317497B5E06136CA7FF7FA2C569A79D93641A1ACCEC8DA9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d...0..f.........." .........|...........................................................`.......................................................... ..xx...........~...)..............T............................................................................rdata..X...........................@..@.rsrc...xx... ...z..................@..@....0..f........l...l...l.......0..f........................0..f........l...................................RSDSu{1^E..G...(.u......D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb.............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....!..hw...rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1436960
                                                                                                                                                                                                                                                                  Entropy (8bit):6.484129501687899
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:5Ltbu58TIu2rlMBDr0PZYRhVj95f1L7Zr5/z/5ccUYXIBXzkTVsHgWolUZbGfqfZ:5LtHAcX0PZuhVDh7ZN7/6YXIBjkBsHgA
                                                                                                                                                                                                                                                                  MD5:1B4D16976D164450EE4353CEAB9D2FB3
                                                                                                                                                                                                                                                                  SHA1:D23DA40ABDF340AD7EB4BDFE236A2958734B9187
                                                                                                                                                                                                                                                                  SHA-256:F3B3025DA537F2CDDCBEA252F3B9FD806059E1E780388AF1F17717A08A88B31D
                                                                                                                                                                                                                                                                  SHA-512:D542C07705357B4F14FECEBB741C1A350CFE4DC1D62E798FA3D2BE454B5F6F36C679382EEAAE870A19F0BD4CA0C17015C095B449B3FA8B2DE4110DDF134678D2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2.US..US..US..\+..YS...!..RS..US...S...&..tS...&..[S...&..\S...&..>S...&..TS...&y.TS...&..TS..RichUS..........................PE..d...a..f.........." .....,................................................... ............`A............................................t....................0..@....... )......|.......p....................k..(...@...8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data....<..........................@....pdata..@....0......................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):58208
                                                                                                                                                                                                                                                                  Entropy (8bit):6.336737113725061
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:BIkf5nMEPz7omzpq/4Jw1AsDZq7v653eUu8su9WWD9zWVV:3n5tLX626u8b9WWpzWVV
                                                                                                                                                                                                                                                                  MD5:555F420D213590062A1EA6CCBA22FF93
                                                                                                                                                                                                                                                                  SHA1:1D0FCFAAE1FF46B8CC13AFF0BC8B23E8B6744061
                                                                                                                                                                                                                                                                  SHA-256:679EF868F8A1792862D066DE2E4A6DC2581F8EA1B449A27700D0ABD41F305840
                                                                                                                                                                                                                                                                  SHA-512:0CD0FEBCC0DE9F3C7A061FF667F9DCAA42708D12D94BB24C5452E7AFD81588AEB914FA9F7BADA471FBE35AAB86A329D22D00B7A7053EDC8BEAE24F8BE104E99C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x.................x.....x9.....x....Rich...........PE..d......f.........."......h...N.......).........@..........................................`....................................................................P.......`)......h.......T...............................8............................................text....f.......h.................. ..`.rdata...6.......8...l..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):140552
                                                                                                                                                                                                                                                                  Entropy (8bit):6.417221597504487
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:/XY8Ja8dy1+iLfBcGPUZZceOiU8mJ/QQc962jqc413OygrxkwFOZiLazze:fLgDL+vU8mpcoOygrxk7Z1ne
                                                                                                                                                                                                                                                                  MD5:EB426FB0169349BD00996AD44A4DBCFB
                                                                                                                                                                                                                                                                  SHA1:E4310867F2A65106E8651B6896C6874C86DC5D9D
                                                                                                                                                                                                                                                                  SHA-256:7E71B48980907AD28B686454DBBD7AFFEB31EB5D0D483F10726318E78C2FA697
                                                                                                                                                                                                                                                                  SHA-512:CA18E9C294180E8B541E0B60EA1EA82F9E96E9FBD00512A183DF4FF02AC305572D7036C03CD222DE048E9D1F1AA3A8AC0CC479FEA21F8772F11CF62272EB8276
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.......................+.......*.......-......./......./.{.....'......................,.....Rich....................PE..d...8..f.........." .....^..........P........................................P......b.....`A............................................(...(........0..........|........)...@..........p.......................(... ...8............p...............................text....\.......^.................. ..`.rdata..Tx...p...z...b..............@..@.data...............................@....pdata..|...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):394504
                                                                                                                                                                                                                                                                  Entropy (8bit):6.310874586526877
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:HBGjtNkrBCdJeD1QL3sQy8XyV0l0gzPI37VPzBzrBUh9epO1BE/XW9X:HBGjtNkU/rsQy8XyxnQaO0XW9X
                                                                                                                                                                                                                                                                  MD5:E91B1F5F3C422A8FABD79B2AB60D7534
                                                                                                                                                                                                                                                                  SHA1:24EA312FFA45D6611A4A487F7BD8185BF9E62F56
                                                                                                                                                                                                                                                                  SHA-256:3F08B69309BFE4B910D35AE6739EE8F650CB94428AE546222038DECD7BF102F7
                                                                                                                                                                                                                                                                  SHA-512:8E8B028123A710661CDD68F46A789186E3D73E8946B92582695D8A006854C92994DEBCD461E723EBC04E62499903D617B5D7568F20D79452FAF2ACCB21086200
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ux.U..YU..YU..Y.a.X_..Y.a.X_..Y.a.X...Y\l.YG..Y.f.XP..YU..Y...Y.a.XH..Y.a.XT..Y.a.YT..Y.a.XT..YRichU..Y........PE..d......f.........." .....D...................................................@............`A............................................ ... ........ ..........$0.......)...0..........p.......................(.......8............`...............................text...,B.......D.................. ..`.rdata...F...`...H...H..............@..@.data...............................@....pdata..$0.......2..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1320504
                                                                                                                                                                                                                                                                  Entropy (8bit):6.3740433775574274
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:I3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDH4Pecta:I7s7jsjS4znnqyIn7TrRUa
                                                                                                                                                                                                                                                                  MD5:5D5D12336DA85008B37919C795C56607
                                                                                                                                                                                                                                                                  SHA1:30F93505D325EFB2674C5F18CBD7603C0544F0EA
                                                                                                                                                                                                                                                                  SHA-256:70252416E6CB744F36B84AA3834C0EE9DFC3527EE97133DDD6AED0A2F178201C
                                                                                                                                                                                                                                                                  SHA-512:CC913259E618514AB7C7779C846C36E394CEF0EEA344DB1B9DB90B796525CD9F53987D927FDA94B28AB5E73B68FB9F258FDB5FE041B32D59AFFCB4E444AAE8C4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d...v..f.........." .....(...................................................P............`A............................................p...`........ .......`..........8&...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1320504
                                                                                                                                                                                                                                                                  Entropy (8bit):6.3740433775574274
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:I3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDH4Pecta:I7s7jsjS4znnqyIn7TrRUa
                                                                                                                                                                                                                                                                  MD5:5D5D12336DA85008B37919C795C56607
                                                                                                                                                                                                                                                                  SHA1:30F93505D325EFB2674C5F18CBD7603C0544F0EA
                                                                                                                                                                                                                                                                  SHA-256:70252416E6CB744F36B84AA3834C0EE9DFC3527EE97133DDD6AED0A2F178201C
                                                                                                                                                                                                                                                                  SHA-512:CC913259E618514AB7C7779C846C36E394CEF0EEA344DB1B9DB90B796525CD9F53987D927FDA94B28AB5E73B68FB9F258FDB5FE041B32D59AFFCB4E444AAE8C4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d...v..f.........." .....(...................................................P............`A............................................p...`........ .......`..........8&...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1268256
                                                                                                                                                                                                                                                                  Entropy (8bit):6.353781583662467
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:ZZdZVbcj9cSuINr2JeOayeFbpo7iE8o3c:LdZVbe9dNVOay8be7iTo3c
                                                                                                                                                                                                                                                                  MD5:04520F980CDAE284E8E277A5EEEEDDE0
                                                                                                                                                                                                                                                                  SHA1:553717161DB99170BF43A552F5ADE7D62D595C88
                                                                                                                                                                                                                                                                  SHA-256:0D2BAD6FB84641FB0C314A885A43659733A2FFE4FD30038D686D8943215085CD
                                                                                                                                                                                                                                                                  SHA-512:B6931CA1FB8E15E3EADA725477786CEFF1A5AC92A2BB6E6350BF826EB416E5E1CE1BB5F545C926EE86AC21B25F8B7569486F9A92E0BD237088482A9A5AE948A2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g.jy4.jy4.jy4...4.jy4..|5.jy4..}5.jy4..z5.jy4'.}5.jy4'.x5.jy4.jx4:jy4>.z5.jy4>.p5.jy4>.y5.jy4>..4.jy4>.{5.jy4Rich.jy4................PE..d...o..f.........." .....n................................................................`A.........................................n..`....p.......`..........D....4.. &...p......`...p.......................(......8............................................text...5l.......n.................. ..`.rdata...............r..............@..@.data...x............t..............@....pdata..D...........................@..@_RDATA.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):58664
                                                                                                                                                                                                                                                                  Entropy (8bit):5.651805521522887
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:v8zO+8uP8x/A15A4HI4gJl01Qa7ICltVtYFClobY9zJQ+M:kzO+8uA/A15A4o4gJq1DI+tEi4QzmH
                                                                                                                                                                                                                                                                  MD5:FBB5BF650AAEA448D918B2CEFE709039
                                                                                                                                                                                                                                                                  SHA1:D9A7B45DD8F22D24089DE96559D3BAC4D431FA47
                                                                                                                                                                                                                                                                  SHA-256:060AEFDEBF10E01A664A63C4330137DA0C0CC9F01A82E1FB09981E0369A7D365
                                                                                                                                                                                                                                                                  SHA-512:F34556DBA9EA69FCE8BC2D0EB95AB16048EEC1603F7CC9107F4ADE445A0694FE35DF120D21A42DA44B2516839191912E29CDA88685E67F5E2AD02DC9CE98128D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<............." ..0.................. ........... ....................... ............`.................................l...O.......(...............()..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H.......P .............................................................BSJB............v4.0.30319......l...pL..#~...L..._..#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....*-.........#.M...&.M.....M...M....h..)...$'....".2.....2...&.2..v$.2... .2.....2.....2...$.2..x..2...1.S.....S..5..]...$.M.................L.....L.....L..)..L..1..L..9..L..A..L..I..L..Q..L..Y..L..a..L..i..L..q..L..y..L.....L ....L.....L..

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):147120
                                                                                                                                                                                                                                                                  Entropy (8bit):3.8679598076564816
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:ZtgZms10iHvh7x8SKJlZ4vCCk7nw55IvZ4MgSZctpoEXXRWfzy:ZtgZ/aSKlZ4ZGnwmUS4ScRg2
                                                                                                                                                                                                                                                                  MD5:354AF4403A04CA4CAF359981635D08D4
                                                                                                                                                                                                                                                                  SHA1:A447720776EE112E45E08CFF574123A54ABD4A08
                                                                                                                                                                                                                                                                  SHA-256:15B115DEC61C47C0C10C49E98513EA8E4C83A9E2FC1F562F30FDB2CC1F620643
                                                                                                                                                                                                                                                                  SHA-512:BAABAB57981A6E7476FD9716FDB34585A5AA443067E2BFAADB0A79F2F7AAFFA31DEAD4B5559E43327EA0E3AE4A89CF131245C6C5852334906D0CC465E51F2230
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d...8..f.........." .........................................................@......f.....`.......................................................... ..`................(..............T............................................................................rdata..X...........................@..@.rsrc...`.... ......................@..@....8..f........j...l...l.......8..f........................8..f........l...................................RSDS.v...lbG..}.c.......D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb...............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....;.......rsrc$02....................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):517032
                                                                                                                                                                                                                                                                  Entropy (8bit):6.327188439808119
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:DD4t2kjj3Ueh/9WoJcDSdiA9HuUrUb9KcvYCxe3Rw42SISaVGxQJyRMq1KsLGjrT:DDrkjjUoJcDSdiw4QcO3RoS9MV
                                                                                                                                                                                                                                                                  MD5:B5D0F85E7C820DB76EF2F4535552F03C
                                                                                                                                                                                                                                                                  SHA1:91EFF42F542175A41549BC966E9B249B65743951
                                                                                                                                                                                                                                                                  SHA-256:3D6D6E7A6F4729A7A416165BEABDA8A281AFFF082EBB538DF29E8F03E1A4741C
                                                                                                                                                                                                                                                                  SHA-512:5246EBEAF84A0486FF5ADB2083F60465FC68393D50AF05D17F704D08229CE948860018CBE880C40D5700154C3E61FC735C451044F85E03D78568D60DE80752F7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.................................................................................7...2......2......2.7....._....2......Rich............................PE..d.....Mb.........." .................E.......................................0.......H....`A........................................0y..|....y....... ..h........>.......'... ..........T...............................8............... ............................text...z........................... ..`.rdata...{.......|..................@..@.data...p2...........r..............@....pdata...>.......@...~..............@..@_RDATA..............................@..@.rsrc...h.... ......................@..@.reloc....... ......................@..B........................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1122768
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6466118295886165
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:CJG2BrB3ZQAq0AT2jS9HKHdK6AccMs1wmxvSZX0ypFi:0VGrT6SAk3ei
                                                                                                                                                                                                                                                                  MD5:3B337C2D41069B0A1E43E30F891C3813
                                                                                                                                                                                                                                                                  SHA1:EBEE2827B5CB153CBBB51C9718DA1549FA80FC5C
                                                                                                                                                                                                                                                                  SHA-256:C04DAEBA7E7C4B711D33993AB4C51A2E087F98F4211AEA0DCB3A216656BA0AB7
                                                                                                                                                                                                                                                                  SHA-512:FDB3012A71221447B35757ED2BDCA6ED1F8833B2F81D03AABEBD2CD7780A33A9C3D816535D03C5C3EDD5AAF11D91156842B380E2A63135E3C7F87193AD211499
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:K..:K..:K..K..:K..;K..:KK..K..:KK.:J..:KK.9J..:KK.?J..:KK.>J.:KK.4J..:KK..K..:KK.8J..:KRich..:K........PE..d................" .....0..........0^...............................................N....`A................................................................. ...........!...... .......p............................Z..8..............(............................text...X .......0.................. ..`.rdata......@.......@..............@..@.data....&....... ..................@....pdata....... ......................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\Splashtop Streamer.lnk

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Oct 25 18:49:52 2024, mtime=Fri Nov 8 11:55:34 2024, atime=Fri Oct 25 18:49:52 2024, length=4642304, window=hide
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2267
                                                                                                                                                                                                                                                                  Entropy (8bit):3.5041196157193952
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:8GA2EVdOELLOcL2KqtyfrQEUSsSAKfdQ4dGdQcQTUUsFmyfm:8GApVdOdffosEUSOKfdtdGdlx1j
                                                                                                                                                                                                                                                                  MD5:9A524FCD7C32C1E0B172E987C3D7E6DB
                                                                                                                                                                                                                                                                  SHA1:B1EFD6BFE24CA884FCDFDB531B5246537E66237F
                                                                                                                                                                                                                                                                  SHA-256:F0F9677868F96FBDEA1D4C8A9DC882923E7024B5CC30AF1C2696A181A62ACC5D
                                                                                                                                                                                                                                                                  SHA-512:84DD10CCB23AAD9E776690D4DBB92BF7959496A96A1556CC26BF2386612AE64762399AF0AB7B60739397C9380A9BC515ABB473447EEDE70D486805BA8FAC9135
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:L..................F.@.. .......'.......1......'....F.....................G....P.O. .:i.....+00.../C:\.....................1.....hY.f..PROGRA~2.........O.IhY.f....................V......A..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....hY.f..SPLASH~1..D......hY.fhY.f...........................A..S.p.l.a.s.h.t.o.p.....j.1.....hY.f..SPLASH~1..R......hY.fhY.f..........................\..S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e.....T.1.....hY.f..Server..>......hY.fhY.f...........................'.S.e.r.v.e.r.....f.2...F.YY:. .SRServer.exe..J......YY:.hY.f..............................S.R.S.e.r.v.e.r...e.x.e.......t...............-.......s..............u.....C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe..T.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.p.l.a.s.h.t.o.p.\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e.\.S.e.r.v.e.r.\.S.R.S.e.r.v.e.r...e.x.e.8.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.p.l

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2402
                                                                                                                                                                                                                                                                  Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                                                  MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                                                  SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                                                  SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                                                  SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):651
                                                                                                                                                                                                                                                                  Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                                                  MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                                                  SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                                                  SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                                                  SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                                                  C:\Windows\Installer\6cdf85.msi

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2994176
                                                                                                                                                                                                                                                                  Entropy (8bit):7.878665058716973
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:1+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:1+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                  MD5:6E58D9AF76A06F068FC49D0F5F895966
                                                                                                                                                                                                                                                                  SHA1:6EAF5813536F716CAB6CCDDA47E8F0BEAA74B30C
                                                                                                                                                                                                                                                                  SHA-256:B8788BA7D7D7F8FCE00F8446B778B9F9B9852E4EC2F3766D6E32C68B50950899
                                                                                                                                                                                                                                                                  SHA-512:4D314DCC18F09CE95453470101EFC55E690657E2288728839F04D7060A1F767A4BE0D1B48CC0A980979D35C440144CC2CBFFD767732B19E4AF4C5333A8FC93E9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\6cdf87.msi

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2994176
                                                                                                                                                                                                                                                                  Entropy (8bit):7.878665058716973
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:1+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:1+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                  MD5:6E58D9AF76A06F068FC49D0F5F895966
                                                                                                                                                                                                                                                                  SHA1:6EAF5813536F716CAB6CCDDA47E8F0BEAA74B30C
                                                                                                                                                                                                                                                                  SHA-256:B8788BA7D7D7F8FCE00F8446B778B9F9B9852E4EC2F3766D6E32C68B50950899
                                                                                                                                                                                                                                                                  SHA-512:4D314DCC18F09CE95453470101EFC55E690657E2288728839F04D7060A1F767A4BE0D1B48CC0A980979D35C440144CC2CBFFD767732B19E4AF4C5333A8FC93E9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\6cdf88.msi

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Fri Oct 25 15:56:32 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):53071872
                                                                                                                                                                                                                                                                  Entropy (8bit):7.963230061374655
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:786432:6hz4O/nYOGmsUacI4fpY5sHEXQHYHiXJf/+21Uss+MxyvChQwGgudj/:g4ObGVUacXfXHEX2YHiAg7v+Mdj/
                                                                                                                                                                                                                                                                  MD5:33E6BF180DFDC83D8FE09F9ED2CB4912
                                                                                                                                                                                                                                                                  SHA1:657F5AB0681B5AEA27459CDA99D3C9C976AE72CD
                                                                                                                                                                                                                                                                  SHA-256:09988CCA8DA09D56FD13D2F7A8335245D23567CBA884925477849B605F20A464
                                                                                                                                                                                                                                                                  SHA-512:A1FB80F899086A263E3332D86A39ED49BE0D0598F2D5994828FDDF09012B39C2784DE95CE7238098ED6845450FE2BDE612DDD4BCF517EDA80B43C10D50E48738
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...................*...............8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...:...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                                                                  C:\Windows\Installer\6cdf8b.msi

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Fri Oct 25 15:56:32 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):53071872
                                                                                                                                                                                                                                                                  Entropy (8bit):7.963230061374655
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:786432:6hz4O/nYOGmsUacI4fpY5sHEXQHYHiXJf/+21Uss+MxyvChQwGgudj/:g4ObGVUacXfXHEX2YHiAg7v+Mdj/
                                                                                                                                                                                                                                                                  MD5:33E6BF180DFDC83D8FE09F9ED2CB4912
                                                                                                                                                                                                                                                                  SHA1:657F5AB0681B5AEA27459CDA99D3C9C976AE72CD
                                                                                                                                                                                                                                                                  SHA-256:09988CCA8DA09D56FD13D2F7A8335245D23567CBA884925477849B605F20A464
                                                                                                                                                                                                                                                                  SHA-512:A1FB80F899086A263E3332D86A39ED49BE0D0598F2D5994828FDDF09012B39C2784DE95CE7238098ED6845450FE2BDE612DDD4BCF517EDA80B43C10D50E48738
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...................*...............8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...:...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                                                                  C:\Windows\Installer\6cdf8d.msi

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 6.0.35 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 6.0.35 (x64)., Template: x64;1033, Revision Number: {76657AF8-AF4E-4FA9-9A39-80AC267D9B11}, Create Time/Date: Fri Sep 20 22:46:46 2024, Last Saved Time/Date: Fri Sep 20 22:46:46 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):27254784
                                                                                                                                                                                                                                                                  Entropy (8bit):7.993818546625114
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:393216:S9tkUbkbvqusHBmlh8dvMt0NDf8K/36n8lxjNnLBKopkJUjy/AlhxH169Dqnw+Oz:24qu1lMDf8Kyn83jNltkJ7JGnTOaTm
                                                                                                                                                                                                                                                                  MD5:D9F7AE6A57AF83B652711426C4834045
                                                                                                                                                                                                                                                                  SHA1:98D255AECDBFD1BAE9FF533D4C7E5DBE5D0E1833
                                                                                                                                                                                                                                                                  SHA-256:AF1319821632F2CEB79C61B4CA6EB53A6341FBA295C02716418216857AF7F4E0
                                                                                                                                                                                                                                                                  SHA-512:5C7DB8C0617125DEB27DE37B056FEEAEAF18585A12AD347A6E6C132AE438E1EB0F27180BC700BD8322E5D5A30E7CEFA62B123E7B0B9CD85E1B8605C0B195BE03
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI1021.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):521954
                                                                                                                                                                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI1021.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25600
                                                                                                                                                                                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI1021.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI1021.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1538
                                                                                                                                                                                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI1021.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):184240
                                                                                                                                                                                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI1021.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):711952
                                                                                                                                                                                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI1021.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):61448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI1217.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):14156720
                                                                                                                                                                                                                                                                  Entropy (8bit):7.577403460767359
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:393216:5B9FTi+H/9aOqLB9FTi+H/9aOqmB9FTi+H/9aOqX:Rx/YOqDx/YOqmx/YOqX
                                                                                                                                                                                                                                                                  MD5:E4812889274660A8209DBDF27A6CBDC9
                                                                                                                                                                                                                                                                  SHA1:F9C2FFF8430800B154A58862F834E457086971E5
                                                                                                                                                                                                                                                                  SHA-256:6B05BAAC10BA5357F65B65665ECA0AFB5B6911C0D8DEF7D589327F6066CD78FF
                                                                                                                                                                                                                                                                  SHA-512:9F8F37F85E5557D1364A939601760EB5ADCCE8BD626301ECC24FA083844E8B52CB08BA63BA3246B3B24A51B921AAF61C289950F73D9960007E96097271A64080
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........Util_UpdateSetting....J...Util_UpdateSetting.@....../.H.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f...

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI15A2.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4718639
                                                                                                                                                                                                                                                                  Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                                                  MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                                                  SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                                                  SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                                                  SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI2FB3.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4718639
                                                                                                                                                                                                                                                                  Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                                                  MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                                                  SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                                                  SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                                                  SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI4908.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4718639
                                                                                                                                                                                                                                                                  Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                                                  MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                                                  SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                                                  SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                                                  SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI5BB6.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):182768
                                                                                                                                                                                                                                                                  Entropy (8bit):6.29474871459677
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:M3hCcV2YVWR8xSSIqeCjEIz+hZvgvE5Q+yq8MPdJ0xH:ErTz9Pj/Ag/+XPw
                                                                                                                                                                                                                                                                  MD5:9ED1749276D20BE78D5E7A30D658C484
                                                                                                                                                                                                                                                                  SHA1:EAAEA2656A63366A888955CE030E091FEA70F0F6
                                                                                                                                                                                                                                                                  SHA-256:61F398C652504FEE07AF12AC50D4A70ECFF641234A4EDA59C68EC937B6D80C96
                                                                                                                                                                                                                                                                  SHA-512:33ACF0BDBD1F33526D348A47BC00963843FC72EB203DF07D0136110109C892FB20AA9D3147204F958B95D750F7F98EB5DF3C387ED4B8802B7F929F201B41E90F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x......................K.......................n...............nz.....K.......K.......K.........T.....K.......Rich....................PE..L....7.d...........!.................................................................I....@..........................E..a....6..........p................-......t...................................h...@............................................text............................... ..`.rdata..............................@..@.data...41...P.......:..............@....rsrc...p............L..............@..@.reloc...H.......J...R..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI6D7A.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):250736
                                                                                                                                                                                                                                                                  Entropy (8bit):6.765155684437659
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                                                                                                                                                                                  MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                                                                                                                                                                                  SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                                                                                                                                                                                  SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                                                                                                                                                                                  SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSI7655.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):84904
                                                                                                                                                                                                                                                                  Entropy (8bit):5.644586384125283
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:gfsMvnDN/t3Hss+bEQjDhvBfHkuMfw9HcISmiWessgt7S2tsMv2XsP4G3IJ7k3NQ:msMvnNN+bxnIW3u
                                                                                                                                                                                                                                                                  MD5:B81EAE090E75DFD0E0F58C28765FAD5A
                                                                                                                                                                                                                                                                  SHA1:BD46793EFAD8D0F02584E6E7C94F53BB65FC7260
                                                                                                                                                                                                                                                                  SHA-256:350A1C893EE3F91C2AC81539D3342CE96EA95B593EA828B324CDF382780BF564
                                                                                                                                                                                                                                                                  SHA-512:E28209627F116EDEA625B9D3B985FB865114188F736397AEEBE68D27935C2F6E01CAC798B750D4BDADDF2BDA365EB2BC87143E28E7C7CE0D32D43739C8B14D20
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...@IXOS.@.....@.?hY.@.....@.....@.....@.....@.....@......&.{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}%.Microsoft .NET Runtime - 6.0.35 (x64)!.dotnet-runtime-6.0.35-win-x64.msi.@.....@.S.0.@.....@........&.{76657AF8-AF4E-4FA9-9A39-80AC267D9B11}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.35 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{BCDE6883-BAB7-54AB-B504-D8C3F75FDB2A}S.02:\Software\Classes\Installer\Dependencies\dotnet_runtime_48.140.21458_x64\Version.@.......@.....@.....@......&.{F621578B-E081-5FC4-B0C5-A151B816DC51}D.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.version.@.......@.....@.....@......&.{B0658A77-9697-57AB-AEF0-C49F5788A264}^.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll.@.......@.....@.....@......&.{120A93F0-81ED-50CA-84

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIA212.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):182768
                                                                                                                                                                                                                                                                  Entropy (8bit):6.29474871459677
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:M3hCcV2YVWR8xSSIqeCjEIz+hZvgvE5Q+yq8MPdJ0xH:ErTz9Pj/Ag/+XPw
                                                                                                                                                                                                                                                                  MD5:9ED1749276D20BE78D5E7A30D658C484
                                                                                                                                                                                                                                                                  SHA1:EAAEA2656A63366A888955CE030E091FEA70F0F6
                                                                                                                                                                                                                                                                  SHA-256:61F398C652504FEE07AF12AC50D4A70ECFF641234A4EDA59C68EC937B6D80C96
                                                                                                                                                                                                                                                                  SHA-512:33ACF0BDBD1F33526D348A47BC00963843FC72EB203DF07D0136110109C892FB20AA9D3147204F958B95D750F7F98EB5DF3C387ED4B8802B7F929F201B41E90F
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x......................K.......................n...............nz.....K.......K.......K.........T.....K.......Rich....................PE..L....7.d...........!.................................................................I....@..........................E..a....6..........p................-......t...................................h...@............................................text............................... ..`.rdata..............................@..@.data...41...P.......:..............@....rsrc...p............L..............@..@.reloc...H.......J...R..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIA2DE.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):171064
                                                                                                                                                                                                                                                                  Entropy (8bit):6.093983981233022
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:jq44uv69SIrScxe0IZNJ+x+uk+hZPDFNkXAO4VR:jfn2Slcxe0Fc9CcQO2
                                                                                                                                                                                                                                                                  MD5:E80F90724939D4F85FC49DE2460B94B5
                                                                                                                                                                                                                                                                  SHA1:512EA4DEBA1C97CC7EC394BCE0E4A32CD497176E
                                                                                                                                                                                                                                                                  SHA-256:8041D3CCBAFA491D35F70030C3AFEBA683B0235BED24F242878D04C7E87B8687
                                                                                                                                                                                                                                                                  SHA-512:9494F1CD058DC3923E4F562D8ED2EDF3D252F519EFC6DB4F1B5289D8A1B841A6CB927E14D33DAB98E0BD4D22A5A473B8CD9424F77213527FBE0C183126356767
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._`,"..Bq..Bq..Bq..q..Bq<.q..Bq..q..Bq..q/.Bq..qh.Bq.y.q..Bq.y.q..Bq..Cq..Bq..q..Bq..q..Bq..q..Bq...q..Bq..q..BqRich..Bq........PE..L...`.a...........!.....p...$.....................................................P...................................m............`..p............x..8$...p.. .......................................@............................................text....o.......p.................. ..`.rdata..M............t..............@..@.data....1... ......................@....rsrc...p....`.......$..............@..@.reloc...L...p...N...*..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIA408.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4718639
                                                                                                                                                                                                                                                                  Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                                                  MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                                                  SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                                                  SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                                                  SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIBD8C.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4718639
                                                                                                                                                                                                                                                                  Entropy (8bit):7.577427915454562
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:k3H5BNwueVRfsNljT+cCD+EATI7tAnSTcGPCctQa3yR4btPR3:k3H5BNMsNFTi+Hn/CQaOqj
                                                                                                                                                                                                                                                                  MD5:2207F96731CE2F9D9327C0BAAF4959EF
                                                                                                                                                                                                                                                                  SHA1:F56EA992C59AD669EC8EE5D6A827ADC472159CC0
                                                                                                                                                                                                                                                                  SHA-256:E4CEDDD5C37C90F8FC7787663A9BED31518FBA82413E80B21230425E380C42DB
                                                                                                                                                                                                                                                                  SHA-512:7E4BD781F879B593F722277839175AA895C863B2015D691C85C8EEC4FE635D233CD94D2B0DCE46CD058F08A005CAA73888809DF414983FF2A4C938770EF71FD4
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIC1F2.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):563559
                                                                                                                                                                                                                                                                  Entropy (8bit):5.783990705498802
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:hw3B7f8m8end5Xy+1kvI8k9W91iVXuXskIh7:huh8edk+1kv5K+Wh7
                                                                                                                                                                                                                                                                  MD5:6858E214F68DFF90BC644085E37BBE0D
                                                                                                                                                                                                                                                                  SHA1:4B2FDDE0BDFDBB87632850BF6F56EA25A1732F14
                                                                                                                                                                                                                                                                  SHA-256:5177BFA7912405FA5D291776BB87858AE23510C847438BF01F533B89778829BA
                                                                                                                                                                                                                                                                  SHA-512:1753D883DC6DFFAD2691474D009E19384CAAEAF77D8526CC6B5A42ECA44F5A68C1F29E89EA9650524282E3E63649CDAD6140595C8DDE610797B89AD38740E134
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3D8827C3-3F73-4AD7-9420-7CA93653C8F2}2.C:\Program Files (x86)\Splashtop\Splashtop Remote\.@.......@.....@.....@......&.{61B538AB-B209-C01B-F95C-B0A0531054D2}M.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm.@.......@.....@.....@......&.{3742F778-8BAC-9729-A5BE-712DA9BEB95A}@.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\.@.......@.....@.....@......&.{ADBB7064-411F-E593-D901-EACB3BA8154E}Z.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_dr

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE0CD.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):521954
                                                                                                                                                                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25600
                                                                                                                                                                                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIE0CD.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE0CD.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1538
                                                                                                                                                                                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE0CD.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):184240
                                                                                                                                                                                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE0CD.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):711952
                                                                                                                                                                                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE0CD.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):61448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE39D.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):521954
                                                                                                                                                                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE39D.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25600
                                                                                                                                                                                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIE39D.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE39D.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1538
                                                                                                                                                                                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE39D.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):184240
                                                                                                                                                                                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE39D.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):711952
                                                                                                                                                                                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIE39D.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):61448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIF6F7.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):521954
                                                                                                                                                                                                                                                                  Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                  MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                  SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                  SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                  SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIF6F7.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25600
                                                                                                                                                                                                                                                                  Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                  MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                  SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                  SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                  SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIF6F7.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIF6F7.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIF6F7.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1538
                                                                                                                                                                                                                                                                  Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                  MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                  SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                  SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                  SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIF6F7.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):184240
                                                                                                                                                                                                                                                                  Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                  MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                  SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                  SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                  SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIF6F7.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):711952
                                                                                                                                                                                                                                                                  Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                  MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                  SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                  SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                  SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIF6F7.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):61448
                                                                                                                                                                                                                                                                  Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                  MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                  SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                  SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                  SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIF90B.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):437316
                                                                                                                                                                                                                                                                  Entropy (8bit):6.648091350577176
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:0t3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Ksx:EzOE2Z34KGzOE2Z34KA
                                                                                                                                                                                                                                                                  MD5:3BD5693A7EDABA26C49F6EA3A9636530
                                                                                                                                                                                                                                                                  SHA1:14251EFB62E3171FA35E1F30413BE5D133C99F32
                                                                                                                                                                                                                                                                  SHA-256:752A7C3C000C7C67E4A398303200EB2076216407F5D19B210AAEB3132ABA4596
                                                                                                                                                                                                                                                                  SHA-512:03D5A88EEF6DA7FA157EC204D510310EB8B6E70E783AC2D128D4DDF86C1770F277F2A6487275B38331C2F1E620FB3BD41285D4CEF88351C0ADA1AA88CC839BBF
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIF90B.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...@IXOS.@.....@.>hY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..Le55bnMCON.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[...................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIF91C.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):216496
                                                                                                                                                                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIF96B.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):216496
                                                                                                                                                                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\MSIFA66.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):216496
                                                                                                                                                                                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                                                                                                  Entropy (8bit):1.1621944147125938
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:JSbX72Fj9QAGiLIlHVRpMh/7777777777777777777777777vDHFn5Np3Xl0i8Q:J3QQI5chF6F
                                                                                                                                                                                                                                                                  MD5:C943DE60D6A11802ABB365AF99E68098
                                                                                                                                                                                                                                                                  SHA1:16A73896BB86BEBA83ABCACB5A9FA30186CC7D67
                                                                                                                                                                                                                                                                  SHA-256:79D64E25BAFEBEFF5AD06B16DC083EA2193F0E8DC17DFC433D8FE469A83F537C
                                                                                                                                                                                                                                                                  SHA-512:9C362C3230D654B4C1D8844AE40939C9871337AC027F9AD0637500D33F9C8B5687C24926F000E2A19064D2FFBA80F84E7D48B0653DBEDE86E6EA7B973C0052C9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\SourceHash{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):49152
                                                                                                                                                                                                                                                                  Entropy (8bit):0.774185215266775
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:JSbX72FjcaAGiLIlHVRpUh/7777777777777777777777777vDHFxgIjNxKR/XlN:JuaQI5E5NxKJ6F
                                                                                                                                                                                                                                                                  MD5:B2D51DB4F378D54CE89BA067D37662F3
                                                                                                                                                                                                                                                                  SHA1:BCB39B9179FDA95CC3AB6FC845E42EE1732A808D
                                                                                                                                                                                                                                                                  SHA-256:A8B617983EBD99D3F3F81A568F209381EEE31EB5330B7CAABB2A511D0410F20B
                                                                                                                                                                                                                                                                  SHA-512:81B17A5CD392ECF03741DCBBECDE4EE97FB646F951089B2BEAC3848B9405D32110F67C93837920961A5B08A967FEF18EE3DAE8F80AB612528DAD622EE8C316AA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                                                                                                  Entropy (8bit):1.165009919416399
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:JSbX72FjdQAGiLIlHVRpZh/7777777777777777777777777vDHF9y9azuB+XBiV:JcQI5tXyUxXMiF
                                                                                                                                                                                                                                                                  MD5:6CD01B2B64D3171C9A0646F5780C4142
                                                                                                                                                                                                                                                                  SHA1:7C35B434934463BA08409351FD5839A14EF6547C
                                                                                                                                                                                                                                                                  SHA-256:0CFEA6CC7966018981EF2E6846BFCF2673D2BE025C82F4CBFCC2DB2BF30A72C9
                                                                                                                                                                                                                                                                  SHA-512:34B3AA4078A867CAF0EC579D2923B4D878AD6B10AE5FCC9FA4F93D5502A76DC09F43CCE7F831F6DA40AA2D6FBB1E720FB019400C66E1FBB0E53D4BD788E7C369
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                                                  Entropy (8bit):1.278658792229478
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:DOLuXvh8FXzdT5bKqmdXynE5SjndddwEqdGUDj0bQiSsndddSE8ly:yLBjTVKqqCnE5f3DoNaE
                                                                                                                                                                                                                                                                  MD5:72FF3EB2F3C670D56CDE38C4BFA08F58
                                                                                                                                                                                                                                                                  SHA1:F001567FD77106D3FFC25833C816DAD2A57030A0
                                                                                                                                                                                                                                                                  SHA-256:A2D3D16BBC6EC8A1854A330908659F9783C0CD512FFB1683E3C1AA75090403D2
                                                                                                                                                                                                                                                                  SHA-512:3CD8D0E696C667810168DEB759B5F280CA490109B01B1713752C34131501C60EC4DE33B00938EFE87D2BC199C2B118DECC08E0A950DB653ABD59D307B864D9F7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):454656
                                                                                                                                                                                                                                                                  Entropy (8bit):5.348929773767357
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:D7f8m8end5Xy+1kvI8k9W91iVXuXskIhT:/h8edk+1kv5K+WhT
                                                                                                                                                                                                                                                                  MD5:149336F319D9AE2CA49E49FC61E834AC
                                                                                                                                                                                                                                                                  SHA1:E00591F432E8B306A349D76BF280736E4509E49F
                                                                                                                                                                                                                                                                  SHA-256:9E06D2D011DA7F988CF974584BB9F2D780D2460DAE92B02FF13F50FC2B3ED2E8
                                                                                                                                                                                                                                                                  SHA-512:BF7BC7C5FCD881C2A2E19914A0C3D765BED36D63C3FF0D60C07DA4CB8072F45DA3BC0DE7605BFE83B23E0572F1B700C0B613C049DC613F7470C095AE7EC9931D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L......a.................@...................P....@.........................................................................4T..(........^...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....^.......`..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):432221
                                                                                                                                                                                                                                                                  Entropy (8bit):5.375181302793421
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauJ:zTtbmkExhMJCIpErw
                                                                                                                                                                                                                                                                  MD5:4900D7A152C7EE5F6335D6192ED0C142
                                                                                                                                                                                                                                                                  SHA1:9CC890269D9FF30CA0FE447D66E4FEE7288D101B
                                                                                                                                                                                                                                                                  SHA-256:3A7E22FDCF31238EE15FDFA328558EA536FD4E269279C895BB574E3ECFF4FBD4
                                                                                                                                                                                                                                                                  SHA-512:124122CDBB305CC1A2DBDCEE3BA98C07F0E5FCDA2BC4AF43AC390EE7FBC9ABCC6BE3A3CDFD659EC9D0B5062F9D3CA2B615A861D3889F57AE06C645ADC8811FF1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):727
                                                                                                                                                                                                                                                                  Entropy (8bit):7.60721185299801
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:5o6Tq905h44TokOdbIadHzEPLnOkV5BR4gTmDqAR3z1Is:5t6ZlzEDnr5kNz1N
                                                                                                                                                                                                                                                                  MD5:91FA1EA174BEBC1127BA9ED5019809A0
                                                                                                                                                                                                                                                                  SHA1:1D11535AF259DCC9895C74B0DE11B8A3033A432C
                                                                                                                                                                                                                                                                  SHA-256:24D4282ECD46D28FB4B972CEA33D3A4F0627BA867BCE15DD5BE391779D3F1BAD
                                                                                                                                                                                                                                                                  SHA-512:84FA89DD06FAF6C349B3FF76CB065D73F72A46DC56FA02E0E24DB2E27FB2B75A8DBCCEABE8BDFC927EE5634E1E54EE877CE6D3BC0D0DAC595CFC76F234707274
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241107164323Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB.......`.< ._......20241107162701Z....20241114152701Z0...*.H.............~<1..k%..P.eV./...F..gP..$.SU3..'.....M.....O..N.....@cN.>...VD.......?.............C..P..mF.~i|+"..8K.G.e.FjEQ......~..z.<=Zk...:.......??.7|.h. ?.!.j..:.v....mUw[.Y...-!.^C...........*...w..(2n..DX..b.vl....M......]...Dbx...u".....oHg.N.[....~.....:).Q>...u<..b.....AT..I.\..yb2...s.B=..]_{Z.Q..{.B/)...YQ@...t._..9.....H.?.~..`%..<.q...P..V.....:....5.'^...~F..L..z.;K..]...\.M.1.@.PT..~^_JP.......pa+wu..J.ZO..;..6.:P.Z....~y.....O.W..G..A.9.\kT....#...........[v.$.$...f.P...L...

                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):727
                                                                                                                                                                                                                                                                  Entropy (8bit):7.562070540258883
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:5onfZSc5RlRtBfQwRhs5vCZgPVrVJEYbw7OIiVFQlb8PjcNCUAnqr/E:5i8cdZTRhG+gPZPfIgMb8PjcNCa/E
                                                                                                                                                                                                                                                                  MD5:EB9A1D98CC4B6AC3D674A6621DF5A758
                                                                                                                                                                                                                                                                  SHA1:5E9BC182D48B8E86A61D8A3F4B5ADD9C88DA6800
                                                                                                                                                                                                                                                                  SHA-256:20D856D68DBA3E2246EBB62A5EAEDCEFDA221ACCFA1B9362B33AFAD33B6E48C7
                                                                                                                                                                                                                                                                  SHA-512:1054D82E5E1B2F2C1416D31F01FF2C172ACA8DCC31A622CDD959F918B78A474BD9B40A9B7316122A8262FAC24D6236860E2EADD665030A61D56C5C0A153F81C7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241107184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241107184215Z....20241114184215Z0...*.H.............t.yl..<Y.&4S...*..).G...s.X.S.x....)l.ng.Jpe....-...}@....|.....J.\#(....]..}.......k/.a..v.I.w...6.W.`{.D..z.%.c.T".p....\....CX..L...u.n...6t.6..1W....f....m6.W....?..N...d.Q..1...H+..k..A.X..../&a.I....#..)..h.*.'..@...'s.~.i.X"...w.B...P\.K..3..V.5...A.-l..#.V...i...\.)=..G.ob....o............eTi.1...)k..+.e.?. :.X.0^.k.4.;.....S8....\.K.w#q..._m.F....(^.......}.\.}?...W....T.......)..#..{6QC...'....=....f.....>........{}.k..\...*.i.....e..F..1&.%.U.aAO....k....<....p?S.

                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):408
                                                                                                                                                                                                                                                                  Entropy (8bit):3.9716482960667787
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKK4Oc+bs/ll2pEsdMhyfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhB:7r+AthymxMiv8sF3HtllJZIvOP20Z8oF
                                                                                                                                                                                                                                                                  MD5:A76599825C6F1F9EA50532B8AB69E90D
                                                                                                                                                                                                                                                                  SHA1:59ECF7DBBF1CD88BAEEA79CA8EEA5F2D0E007F0A
                                                                                                                                                                                                                                                                  SHA-256:A1AAD89BED6B0B37F0A2EE5B6B6A6F55726D7726D5291855F9C206670C8935B9
                                                                                                                                                                                                                                                                  SHA-512:33C5C0E73A11086FB8DF6775DA5DEB4840D560C30378CE2C9A84A007A077B86DD37DEBDE2BB553D2105EBD725A7A1714D03A09C4BECAFA3C0E1F542F0EF27889
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:p...... ....$.....Y..1..(................xy.11...P...6...................P...6.. ............1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.c.c.8.p.W.v.3.e.y.M.Y.M.0.8.I.P.Z.f.5.%.2.F.0.%.3.D...

                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):412
                                                                                                                                                                                                                                                                  Entropy (8bit):3.9941882883287985
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKEBEPlph1ts07yfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:uGhzymxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                                  MD5:60D158D6030007FCE02F1E2D2771CA28
                                                                                                                                                                                                                                                                  SHA1:6686BCA336E3F59288139522BDC2ED7BDA1B2CC7
                                                                                                                                                                                                                                                                  SHA-256:9FB7C459C47C292654EA7DA5362D2176FBB55F07FA22F3C918A0B16129223489
                                                                                                                                                                                                                                                                  SHA-512:B8A63AB2365115C0160F9C6DD8FE4307954FA0E8D633CB8DCBBFFE6ECBE7DF8685D1C81AF20808DA2DE250BE91D14B64E8B888C133FCF15243252529BBE65D4F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:p...... ....(.....z.1..(...................D1......6......................6.. ........$...1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                                  C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):704
                                                                                                                                                                                                                                                                  Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                                                  MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                                                  SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                                                  SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                                                  SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                                                  C:\Windows\System32\SRC92E.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):326664
                                                                                                                                                                                                                                                                  Entropy (8bit):6.273611352763876
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:gpWGtJblMMuWntMAHeVQHe3lPpAyQ4L/8mJEDJnMihRD+ae7/lXCU:tGtJblMMuWntyxOyQ4LkIyxypCU
                                                                                                                                                                                                                                                                  MD5:D2A501F07C9F9373F11CC89FB2D49D8C
                                                                                                                                                                                                                                                                  SHA1:37EAADAF61D2CBE697F1C454640F9E04F4CD2D16
                                                                                                                                                                                                                                                                  SHA-256:A25A7C80A4BD007248306E02FBC10436885C64CC70A40433143BC82C641D3480
                                                                                                                                                                                                                                                                  SHA-512:B20727B34287D5877D94963B08F520E586C2A66A39631C768CF2F6ACA31959DFB2711C8043E71DA4FA8A00DF039E886D30B0D7DC2E85FEFC68E99761F3945B54
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..............].......j.......j.......j...............j.......j.......j...............j......Rich....................PE..d......e.........." ................<........................................@............@..........................................p..w....^....... ...........6.......(...0...... ...................................................(............................text...>~.......................... ..`.rdata..G...........................@..@.data....[.......&...f..............@....pdata...6.......8..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):471
                                                                                                                                                                                                                                                                  Entropy (8bit):7.195984909074457
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:JyYO25GLsHt2Z5OKjOL+0BWlm+GNb3MkSl:JRO2ILsNUOL+0BWlJN
                                                                                                                                                                                                                                                                  MD5:7795DF33FC7DD3AA62E0BC052F9DFBAD
                                                                                                                                                                                                                                                                  SHA1:EA227EC994561B5BCE01C5228F9C337286FBEC9C
                                                                                                                                                                                                                                                                  SHA-256:6AD47D714F3DD55B2FE9072E829542851D2ECF60CB88254002C60449E8ACA736
                                                                                                                                                                                                                                                                  SHA-512:DE11027F0CA32119EBBB17976ECBE6582AB6AF8CAA7CE522D75C4185DA722550F1F981064DB9BE6074EB1C6C096C933C2DE7EE42B1F31B4FEDC9982F87157F9D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241107190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241107190516Z....20241114190516Z0...*.H..............\%h......B.q.?..,7..O2@.Z9.Q.~6..b..........vo...(['.Qr...0..\..d.3c.o....A6......w.*.....R.......<mN(..q....F..C.q(...o.p.........%.'.T.j./.+....)4.}'..V..&H.PL...a...X.X@7.,0 .....'T>.P@V.....$..W...^b.y<z0.........".f...(U.w.).'!..6R.ve

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):727
                                                                                                                                                                                                                                                                  Entropy (8bit):7.538244021680764
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:5o6Tq93k5h44TUqpqeLDTeV2ZeqhBwAksO9b8Sq0PtlRHwX6KluyUwVKvfsIg66:5hoqbyVs5ksO9btTPhdby8cBR
                                                                                                                                                                                                                                                                  MD5:29DD7378778C44788BAC45D70EA7B440
                                                                                                                                                                                                                                                                  SHA1:7A3C5E30C0C9A9BE505B18FD2C24422D5E3DBE56
                                                                                                                                                                                                                                                                  SHA-256:69354FF510301B85C14CC1ECD0E5B3C98308B820CFBCE483389A7B9A437F67D5
                                                                                                                                                                                                                                                                  SHA-512:9E67BEE1AE05B0F2408210A6662926CC9DA6EE2864820A4704ADFFAE9DD78B80E79EE32E83F5A5E35BED9603E82795A38570D56CC93384B82DC6254940079FE7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241107213702Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241107212102Z....20241114202102Z0...*.H.............'....P0.......<..Y.xj.H.......Y..0.......{9$^.....>...W;...?.....xD/-H.Xj. p.z......;]..1v..Kpv.....X...Hz...6.(P.J_..<.e...a.U@..wK.QO...R....Qs..K.w.t~. .-D)..1$.........U..%..*....$8:.*'x...@.Q.X..w.g.t:..(.M.2.......~.t.Y.5...|.m.....+..)$....L.b....\(...2.i...t..@.lUX...=......o..jq1..~W.GQH.-.b.....@{..x.k..J=.g...Sd..].H.(.'5A..@h,./..)..e.!..$..;[..`..X...<.c..._4c.3..QG.....Uz.<S~J.4;...[.T.....#.r=..m*... ?..=jr~.....E6.O...Z...=t.......w.....9.>...Z56l..$..]....%.B2#.)%4o.d!.:

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1716
                                                                                                                                                                                                                                                                  Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                                  MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                                  SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                                  SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                                  SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):727
                                                                                                                                                                                                                                                                  Entropy (8bit):7.562070540258883
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:5onfZSc5RlRtBfQwRhs5vCZgPVrVJEYbw7OIiVFQlb8PjcNCUAnqr/E:5i8cdZTRhG+gPZPfIgMb8PjcNCa/E
                                                                                                                                                                                                                                                                  MD5:EB9A1D98CC4B6AC3D674A6621DF5A758
                                                                                                                                                                                                                                                                  SHA1:5E9BC182D48B8E86A61D8A3F4B5ADD9C88DA6800
                                                                                                                                                                                                                                                                  SHA-256:20D856D68DBA3E2246EBB62A5EAEDCEFDA221ACCFA1B9362B33AFAD33B6E48C7
                                                                                                                                                                                                                                                                  SHA-512:1054D82E5E1B2F2C1416D31F01FF2C172ACA8DCC31A622CDD959F918B78A474BD9B40A9B7316122A8262FAC24D6236860E2EADD665030A61D56C5C0A153F81C7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241107184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241107184215Z....20241114184215Z0...*.H.............t.yl..<Y.&4S...*..).G...s.X.S.x....)l.ng.Jpe....-...}@....|.....J.\#(....]..}.......k/.a..v.I.w...6.W.`{.D..z.%.c.T".p....\....CX..L...u.n...6t.6..1W....f....m6.W....?..N...d.Q..1...H+..k..A.X..../&a.I....#..)..h.*.'..@...'s.~.i.X"...w.B...P\.K..3..V.5...A.-l..#.V...i...\.)=..G.ob....o............eTi.1...)k..+.e.?. :.X.0^.k.4.;.....S8....\.K.w#q..._m.F....(^.......}.\.}?...W....T.......)..#..{6QC...'....=....f.....>........{}.k..\...*.i.....e..F..1&.%.U.aAO....k....<....p?S.

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1428
                                                                                                                                                                                                                                                                  Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                                  MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                                  SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                                  SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                                  SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):338
                                                                                                                                                                                                                                                                  Entropy (8bit):3.424370282568302
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKTQ3y8CnsaJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:bKyhnckPlE99SCQl2DUevat
                                                                                                                                                                                                                                                                  MD5:752BFF391D0453A7A1135D97FD2689A4
                                                                                                                                                                                                                                                                  SHA1:42F864F719F32D434165A5C45460D57A4E353D10
                                                                                                                                                                                                                                                                  SHA-256:119B81D6C2A3306CFD164E6E6D878558CB48FC8D4A93902A3BE236D402555F53
                                                                                                                                                                                                                                                                  SHA-512:F91D9EB9077A8C4B09FCB3D9D266F14C2CC56693D6933C84AA36BE3148335692F6D961115A1835F0C8A5B41EE010EBED06EEE7F066486563B835F2277E87C4FB
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:p...... ......../Dl.56..(...............................................$Q..c2.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):400
                                                                                                                                                                                                                                                                  Entropy (8bit):3.944969562489189
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKrUpRUItll3f/sT4lXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJ:0UItvf7zmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                                                  MD5:35C22CD5E909CF2A5DAAE3C0B29971C7
                                                                                                                                                                                                                                                                  SHA1:0FC933ED0086AA5C69AD32D66BC8AEF40C9396A8
                                                                                                                                                                                                                                                                  SHA-256:A632A849B6BC53FFB3CD7F58D41D6D3D559A3DDCE9BBC354EF796188A11DA54C
                                                                                                                                                                                                                                                                  SHA-512:95694216E09776CE0D078AFC0B0DF2814B4DC0DAD12EF3201A47D0CE2386D1F48D884002AB3AF21331306496132D3A916C21BBEDA7EF671CB7CC1C81680827C2
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:p...... ........f..s.1..(................~..G1.....#.6.....................#.6.. .........S..1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):404
                                                                                                                                                                                                                                                                  Entropy (8bit):3.9228864866085456
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kK3cMJGP/lD3s7yfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+Ksc8:ucymxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                                                  MD5:B8709ECF175DE4114DD8A5C043211036
                                                                                                                                                                                                                                                                  SHA1:A8AA3D4B100F56E366EF54DFAE7F4B20487F517C
                                                                                                                                                                                                                                                                  SHA-256:299E754F064FE17D31436442B2AD676506C522C9861757107700C4DAF43B58A7
                                                                                                                                                                                                                                                                  SHA-512:297C745B50686B5D26E77C6E079F9339FAEAD35CC68CED386C66514CCBB08A344A0B58210D4F5B45A9457112CE03D353DF466D0C60255DA078CBE66CC122571B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:p...... .... ...Q..1..(................sT.Z1...Kt..6...................Kt..6.. ........dh..1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):308
                                                                                                                                                                                                                                                                  Entropy (8bit):3.206650934253046
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKxZ3nzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:CtWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                                  MD5:5C4B544271019EA9C76BB3F39D0B0333
                                                                                                                                                                                                                                                                  SHA1:21DC9F6907DBB3E9002858B271A12A0DE8BC93DB
                                                                                                                                                                                                                                                                  SHA-256:5A2A53835B8BC61678F8DFE572B122C8D0CE16120FE69042C4197E760B708830
                                                                                                                                                                                                                                                                  SHA-512:4D1E11ADBEC15EF238CAF3780A057D0B8F06FE202A07C4F83CFB06AC551760F001EB71113354C2959EF33CBC2D816902AB91D460C387B738CA8497F8EE1A921A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:p...... ..........w..1..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):412
                                                                                                                                                                                                                                                                  Entropy (8bit):3.9911661706156027
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKEbEPlph1tsx0hyfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkr:cKhfhymxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                                  MD5:DD2C77E5AB30A7C641B8438252562FCE
                                                                                                                                                                                                                                                                  SHA1:1F3922AAE143A4FC983DBBE3BC45CA9CD7346BF0
                                                                                                                                                                                                                                                                  SHA-256:943473FE93E9BC15217B3484E7F05DD3C89F370C18EBD4B8897E28FD8C2ADCEF
                                                                                                                                                                                                                                                                  SHA-512:327E5DC0EDD6B44101B6E0E911449942BCC9AE9292FA173BF2537A68F98359105BC060582CE98B60EB1F880CEEC215F94D15092D18A18FB45AE47FD3C6986F24
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:p...... ....(..../...1..(...................D1......6......................6.. .........,..1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):254
                                                                                                                                                                                                                                                                  Entropy (8bit):3.0371508354751664
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKzNLLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:pLLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                                  MD5:7935F937DFFD2C81685A4CA11D4B826A
                                                                                                                                                                                                                                                                  SHA1:72C777A2E4A0718441FE564D832BE8FFFB8703DC
                                                                                                                                                                                                                                                                  SHA-256:C4C97ECF66CD2A3CD1393AE647036F249115A2BFCB174935A647CCA1644F849E
                                                                                                                                                                                                                                                                  SHA-512:E4F7DCB5094A31074295166931AAB860695837B64DD4448B33521464FDA89070CAC51C981651E88B302E89789032C0BC137843D12145B29F70C4D89FB9838BED
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:p...... ....l...Nl.-.1..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1944
                                                                                                                                                                                                                                                                  Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                                                  MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                                                  SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                                                  SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                                                  SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):3043
                                                                                                                                                                                                                                                                  Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                                                  MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                                                  SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                                                  SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                                                  SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1499
                                                                                                                                                                                                                                                                  Entropy (8bit):5.341844552740347
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNWE4KXSE4KlOU4mXE4Ke60:MxHKQwYHKGSI6oPtHTHhAHKKkWHKCHKl
                                                                                                                                                                                                                                                                  MD5:D45F0B0387AA9450CC88125F2428C26D
                                                                                                                                                                                                                                                                  SHA1:8C77259A299BF2FB7A66EC695A3F0EFA5154DCB6
                                                                                                                                                                                                                                                                  SHA-256:6A6DF19288C76B1CEDD0F507F226705CDE6A69F3AB59B4FC13AF5C7B7F7D12A3
                                                                                                                                                                                                                                                                  SHA-512:5523AD8087ECE039FFFEF746F9B6175D6C2F2523C372FC813D21E695C18D986432D2B83C23D0E6CD6C42C97DFC8DECE3121BE8907D05337EA9B282D3E947EF4F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ce

                                                                                                                                                                                                                                                                  C:\Windows\Temp\B7C5EA94-B96A-41F5-BE95-25D78B486678-07-56-26.dat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):602
                                                                                                                                                                                                                                                                  Entropy (8bit):5.715477949331255
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:H4/x2yii36bO1zygUcB8uBDi9s/zQl6MRdRH2nZyNuKW2p:H4ZB36YUeEs/ccCdRHMZy5B
                                                                                                                                                                                                                                                                  MD5:FEA09B6BE53893C45720CA7D239DAF1B
                                                                                                                                                                                                                                                                  SHA1:8AE6A0BA6E58D3BACEE7737C71D52C3CE594D7C0
                                                                                                                                                                                                                                                                  SHA-256:5A4AC46A521238BB89FBC22A8E5EB3555768523D1FA8F78C3C7AB2217A24EC2F
                                                                                                                                                                                                                                                                  SHA-512:C30657FA29175D871E792178CF573855298958E7BBD99BC846307F5FCD79DE4E9B12D70947D02BF6BF9DFF6847D9070F465718ECCA29D33C7A90F8C0D49B4CC6
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[Installation]..INSTALLDIR=C:\Program Files (x86)\Splashtop\Splashtop Remote\..SUPPORTDIR=C:\Windows\TEMP\{82FADB0D-5306-40C4-9FEF-94CD304E5311}\..ProductName=Splashtop Streamer..ProductVersion=3.7.2.3..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..UpgradeCode={001F085C-058A-480B-AD56-2940B857C38D}..SRVMODE=0..EXTPATH=C:\Windows\TEMP\unpack\..ISUPGRADE=0..ONEUSERMODE=-1..AUTOUPGRADE=0..VTHIDSKIPOEM=1..SSUDONE=0..INSTVD=1..INSTDRV=0x81..VersionNT=603..STARTSRV=1..SRVFOLDER=Server..WOW64=1..WORKSTATION=1..TEMPFOLDER=C:\Windows\TEMP\..USERINFO=sec_opt=0,confirm_d=0,hidewindow=1..BASEDTYPE=1..

                                                                                                                                                                                                                                                                  C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075552_000_dotnet_runtime_6.0.35_win_x64.msi.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):123292
                                                                                                                                                                                                                                                                  Entropy (8bit):3.731926648689984
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:QcfdXoj6abF1RVKvTo7ZPOkc8Ip13Emu+g6qsqYBHG2SF1lysPZYSMsD:QBHyseu
                                                                                                                                                                                                                                                                  MD5:309E1E26CFE7B5192E45810E4907B6FE
                                                                                                                                                                                                                                                                  SHA1:D0C51BFB804F1680692C1E1BDCE75F40980D1A67
                                                                                                                                                                                                                                                                  SHA-256:17F503D7EE9A70C07BE226D87A7E3FAAD7B7AAB84DAF3C65663A450E4BB962A3
                                                                                                                                                                                                                                                                  SHA-512:D0A42037AB1FC53C75ED5774CB426E23353F3FC3B34FB8C446F0D6F3A1B430F83AB565B8F68F16C040370B7BC020720FA47CC2056F04E01D8309FE750B9820FA
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241108075552_000_dotnet_runtime_6.0.35_win_x64.msi.log, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.8./.1.1./.2.0.2.4. . .0.7.:.5.6.:.1.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.7.B.4.4.9.3.B.5.-.7.4.1.3.-.4.B.1.D.-.A.F.0.7.-.5.9.2.E.B.C.5.7.F.8.6.A.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.5.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.4.0.:.8.0.). .[.0.7.:.5.6.:.1.2.:.1.9.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.4.0.:.8.0.). .[.0.7.:.5.6.:.1.2.:.1.9.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.4.0.:.8.0.). .[.0.7.:.5.6.:.1.2.:.1.9.3.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.C.7.9.F.6.E.E.C.-.3.A.2.B.-.4.8.7.D.-.A.3.B.6.-.E.D.F.4.0.5.7.B.4.E.4.B.}.v.4.8...1.4.0...2.1.4.5.8.\.d.

                                                                                                                                                                                                                                                                  C:\Windows\Temp\PreVer.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2988
                                                                                                                                                                                                                                                                  Entropy (8bit):3.688122116149916
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:Vy1Tvzy1Qo70y1xy1Tapy1Qo7Fxy1V89xy1xy1i9Ey1qy17y1HLy1Ly1xzYy1zh:Vy1T7y1n70y1xy1TMy1n7Fxy16y1xy11
                                                                                                                                                                                                                                                                  MD5:C39852587F51CDFDAD3B69D7E1C0AA0B
                                                                                                                                                                                                                                                                  SHA1:EDDFC8FDE48C3728C76AE66AF479EE8433859A66
                                                                                                                                                                                                                                                                  SHA-256:237711CE215E6F2525D977488CE310FFC64C253E19E087A922D6D77DDA2154F9
                                                                                                                                                                                                                                                                  SHA-512:76A50B4673DE73D913A5A2B4D3EBF0B1BEA37163B53BA18E0B33AD31F225F2B45FB13EF7CA34046426D77454FE5E8935B9DCDD19E7B6D3E6135FAB4123C09CA6
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.2.6.0.:.4.4.7.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.9. . .S.e.t.K.e.y. .k.e.y.P.a.t.h.:.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r. .f.a.i.l. . .E.r.r.:.0.....[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.2.6.0.:.4.4.7.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.9. . .I.n.i.t. .R.e.g.P.a.t.h.:.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r. .h.a.s. .e.r.r.o.r.,. .b.e.c.a.u.s.e. .h.a.v.e. .n.o. .P.r.o.d.u.c.t.c.o.d.e. .o.r. .U.p.g.r.a.d.e. .c.o.d.e. . .E.r.r.:.0.....[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.2.6.0.:.4.4.7.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.9. . .N.o. .o.l.d. .v.e.r. .e.x.i.s.t. . .E.r.r.:.1.8.3.....[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.2.6.0.:.4.4.7.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.9. . .S.e.t.K.e.y. .k.e.y.P.a.t.h.:.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r. .f.o.r. .B.u.s.i.n.e.s.s. .f.a.i.l. . .E.r.r.:.1.8.3.....[.P.R.E.V.E.R.C.H.E.C.K._.E.X.].[.7.2.6.0.:.4.4.7.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.9. . .I.n.i.t. .R.e.g.P.a.t.h.:.S.

                                                                                                                                                                                                                                                                  C:\Windows\Temp\PreVer.log.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (523), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1294844
                                                                                                                                                                                                                                                                  Entropy (8bit):3.854203368856604
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:Xpu7cnzJUlcj0APSiIjWG0vzsoSnaWPb79PLaF8FekR1JAWKrfdDCPbVC+r2ESqs:pjOiIIjam
                                                                                                                                                                                                                                                                  MD5:9A568BC645E2FDEF5AA9FE285D4E9345
                                                                                                                                                                                                                                                                  SHA1:4FDA8C9D6E80BC567ED11713DA8D082EF9B776A4
                                                                                                                                                                                                                                                                  SHA-256:6AF2F8C8F2657ECABAC313CBC9D219D8D05E8F2B11E8004452A6AD4140D3FB0E
                                                                                                                                                                                                                                                                  SHA-512:73AE18BD818E172D7F0BF308BA6FC93AC902DE495522299D5CA25B2B645F81D4637AAA6DF6D5C50759242E6754E1F94E0C08B4FD435857407821B0395B074840
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.8./.1.1./.2.0.2.4. . .0.7.:.5.5.:.2.0. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.E.C.:.5.C.). .[.0.7.:.5.5.:.2.0.:.0.0.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.E.C.:.5.C.). .[.0.7.:.5.5.:.2.0.:.0.0.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.E.C.:.5.C.). .[.0.7.:.5.5.:.2.0.:.0.0.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .s.e.t.u.p...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.E.C.:.5.C.). .[.0.7.:.5.5.:.2.0.:.0.0.8.].:. .C.l.i.e.n.t.-.s.i.d.e. .a.n.d. .U.I. .i.s. .n.o.n.e. .

                                                                                                                                                                                                                                                                  C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):56904336
                                                                                                                                                                                                                                                                  Entropy (8bit):7.93750887921502
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:786432:Shz4O/nYOGmsUacI4fpY5sHEXQHYHiXJf/+21Uss+MxyvChQwGgudj/iuvKk:44ObGVUacXfXHEX2YHiAg7v+Mdj/iuvf
                                                                                                                                                                                                                                                                  MD5:6AAE99153C786353C750BF8F5C9779B1
                                                                                                                                                                                                                                                                  SHA1:01BF4087FEE55709A4B87FDCDB9E367B6D0D885F
                                                                                                                                                                                                                                                                  SHA-256:E125E0D79F2EF28292EE325CEE883400A474E9552EA38E07DD20163CAAB98AC8
                                                                                                                                                                                                                                                                  SHA-512:7F21501B176EBB83E2518F3F77B8313726F192FC650FC987B4EE03630B5611B32A07849FFB961C42CFF9AAC705EC8B7EF69547801FC3412470F8395C895B9DE5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{F~.(F~.(F~.(O.8(U~.(F~.(.|.(O.>(\~.(O.((.~.(O./(.~.(O.!(A~.(O.?(G~.(O.:(G~.(RichF~.(................PE..L...y?.g............................./............@..................................Ee.............................................. ..(............"d..(..........`................................i..@...................D........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\unpack.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4934
                                                                                                                                                                                                                                                                  Entropy (8bit):3.6532549632136497
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:mdA0zATA2mAN/ANUk9XAZL6NVGmpUNsUNa9XAASUNVD3UN2UNl9XAN4XNVgNXNr/:mddWUghHmp/ww3V8YNJKbtI7/KKxvw/m
                                                                                                                                                                                                                                                                  MD5:9CC2DA571704388D79ED5C225BBE0078
                                                                                                                                                                                                                                                                  SHA1:69ACF4CFECF21E86654C6BACE402840D63A39770
                                                                                                                                                                                                                                                                  SHA-256:3CDBA1C86690CA7B3EF03319A677305DDBD79C7A4063A72574E0778D0F9B6525
                                                                                                                                                                                                                                                                  SHA-512:E72AC015C3A6AEA52765ABEB573CA33FB75B8455C4B79056DB05EC6827D0C96B0FA38AF3298468E41F518549DDCEE7194D0625CCFB6FC3B88778E47FB5E52089
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[.1.0.1.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.4. . .[.C.U.t.i.l.i.t.y.:.:.O.S.I.n.f.o.]. .O.S. .1.0...0.(.1.9.0.4.5.). . .x.6.4.:.1. .(.L.a.s.t.=.0.).....[.1.0.1.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.4. . .[.C.U.n.P.a.c.k.:.:.F.i.n.d.H.e.a.d.e.r.]. .N.a.m.e.:.C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r...e.x.e. .(.L.a.s.t.=.0.).....[.1.0.1.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.4. . .[.C.U.n.P.a.c.k.:.:.F.i.n.d.H.e.a.d.e.r.]. .S.i.g.n. .S.i.z.e.:.1.0.2.4.0. .(.L.a.s.t.=.0.).....[.1.0.1.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.4. . .[.C.U.n.P.a.c.k.:.:.F.i.n.d.H.e.a.d.e.r.]. .H.e.a.d.e.r. .o.f.f.s.e.t.:.4.3.4.1.7.6. .(.L.a.s.t.=.1.8.3.).....[.1.0.1.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.4. . .[.C.U.n.P.a.c.k.:.:.U.n.P.a.c.k.F.i.l.e.s.]. . .F.r.e.e.S.p.a.c.e.:.1.8.0.9.2.5.4.9.7.3.4.4. .F.i.l.e.S.i.z.e.:.5.3.0.7.1.8.7.2. .(.L.a.s.t.=.0.).....[.1.0.1.6.].2.0.2.4.-.1.1.-.0.8. .0.7.:.5.5.:.1.4. . .[.C.U.n.P.a.c.k.:.:.U.n.P.a.c.k.F.i.l.e.s.]. .(.1./.5.).U.n.P.a.c.k.

                                                                                                                                                                                                                                                                  C:\Windows\Temp\unpack\PreVerCheck.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3383808
                                                                                                                                                                                                                                                                  Entropy (8bit):7.34393442596073
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:98304:JcO5IMA1lvHRzotzo5YuCpvBgSq8/R58hgpwVHSSWz:rAXvRMtUiuCpJgSVR58hS1z
                                                                                                                                                                                                                                                                  MD5:A7CE785B6CD1C9657040CA9B6CBEED10
                                                                                                                                                                                                                                                                  SHA1:4B254FEE47CC8A9EAEC6CE7B714A2CE05B6ED8EC
                                                                                                                                                                                                                                                                  SHA-256:7BA6E401B8E78AB28E1CCF38D2CD05E12751F960661E159B4E35BC63D3544B4D
                                                                                                                                                                                                                                                                  SHA-512:39202F477017DAA9428A0C1BBE1DAAE30AA1B7B9F57B04832C44A7B28AF0144FF47EDFC1AD3D6A940AD1C49471DFE190077B594C337BACC115C552D91A24C2D9
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!}..!}..!}......*}.......}..(.;. }..1...6}..1...5}..1....}......7}......>}..!}...|..j...=}..j.@. }..!}(. }..j... }..Rich!}..........................PE..L....<.g...............).....r0..............0....@...........................3.......3...@..........................................P..@-/..........z3..(....3..'......p...........................(...@............0...............................text...H........................... ..`.rdata..n....0......................@..@.data...4....0......................@....rsrc...@-/..P..../..$..............@..@.reloc...'....3..(...R3.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\unpack\SRSocketCtrl.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):984584
                                                                                                                                                                                                                                                                  Entropy (8bit):6.654713325570367
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:gD2kCn6swdgSq3nUm08oS2R58vpo8Gp7EPVHHG0wIRCpDHFS:kvBgSq3nUD/R58vpofp4PVHHG07RgA
                                                                                                                                                                                                                                                                  MD5:8A17CA74AFC4FFF3A0AC2262DDD260A1
                                                                                                                                                                                                                                                                  SHA1:AC598B0297BF3CDF231D67A47BE942DA5173093B
                                                                                                                                                                                                                                                                  SHA-256:6EFCE3CC622589CE8A7B65C700692FB8EF9B97D50CDC828F0FC7E872C52CEBA9
                                                                                                                                                                                                                                                                  SHA-512:A8608961EF6936CD2EBAA6026B4074066A06F1CE90806C648B31E38E979F7BEB0F93A6E7BE33365A595D7DF6236E454241424DBC95EAC50867F2C78F89620BE5
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.....x...x...x.W.{...x.W.}.x..5|...x.W.|...x..3....x..3{...x..3|...x..3}.S.x.W.y...x...y..x.T2q.[.x.T2x...x.T2....x.......x.T2z...x.Rich..x.........PE..L....X.f...........!...).....&............... ...............................`......5.....@..........................6..T....6...........................(......T......p...................@.......@...@............ ..`............................text...h........................... ..`.rdata...)... ...*..................@..@.data....h...P.......0..............@....rsrc................L..............@..@.reloc..T............R..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\unpack\libcrypto-3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1336328
                                                                                                                                                                                                                                                                  Entropy (8bit):7.871375711510445
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:B/fqcYYzqZYz970TN1T42xGWD9bujQdC5NNQIpL8575+HZ0tuC+:NHRzHuh1cQGWDRu08Q0L8J5+HZ0tuC+
                                                                                                                                                                                                                                                                  MD5:67998603B05979931B23D16655529E15
                                                                                                                                                                                                                                                                  SHA1:A7EE73C900A3F6EEDFDEFDBC3A2099D5185BAEE2
                                                                                                                                                                                                                                                                  SHA-256:6A08DBFBFBBDEFE80D9CFCDF8BC26C9183A4FFEE24EEE0FA62571381AD28E9D4
                                                                                                                                                                                                                                                                  SHA-512:1BB92EBA016C76CB446FF0152BB13EF6043E05A5E2C14B38080F6CC7DA5CC2E4CC25C88717222917C128DC08F9DA3937E1635FBB21BCC4ABF10B9344CBED2369
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.seb.seb.seb..fc.seb..`cxseb..ac.seb..fc.seb..ac.seb..`c.seb.sdbWseb..dc.seb.seb.seb..ac!qeb..ec.seb...b.seb..gc.sebRich.seb................PE..L......f...........!...).....0....(.`.:...(...:...............................<.....*.....@...........................:.|"...:.@.....:..............<...(....<.....................................D.:.............................................UPX0......(.............................UPX1..........(.....................@....rsrc....0....:..(..................@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Windows\Temp\unpack\libssl-3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):342024
                                                                                                                                                                                                                                                                  Entropy (8bit):7.895641722792913
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:1Y2e1wyPJHcHPL4W84QDcsKzJEraJJZ90eGBSemTEMNFrUCoSbL:LaJS0W84QopzJE2JJseGBugMNFhbL
                                                                                                                                                                                                                                                                  MD5:523BA7EBE060B6961722FF97089695B7
                                                                                                                                                                                                                                                                  SHA1:EFC5C558A78CD5DB8F3F0DC510FCFF8EE4876E77
                                                                                                                                                                                                                                                                  SHA-256:EA3795FB2D4CFE2FE70F616E3C5D9BD73DADEA39F8CC3A4BF81389F73352097A
                                                                                                                                                                                                                                                                  SHA-512:A2265D470FCBCC7E0E8AE88B44969768FF1216F76177EE4B9531FB09C980D9D4B1331D41E184BA1F0E66356B5530E7946F614CA7FCEB449B6C1228BC2233755D
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t.C..XC..XC..X...YI..X...Y...X...YW..X...YA..XSA.YU..XSA.YR..XSA.Y\..X.@.Y@..XC..XP..X.@.Yq..X.@.YB..X.@.XB..X.@.YB..XRichC..X........PE..L...g..f...........!...).....P......pd.......p............................................@.........................lt...>...s.......p...................(..$.......................................\f..............................................UPX0....................................UPX1................................@....rsrc....P...p...D..................@......................................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                                                                                                                                                                                  C:\Windows\Temp\unpack\run.bat

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):15
                                                                                                                                                                                                                                                                  Entropy (8bit):2.9995812306460645
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:1X6AZJ:1qAX
                                                                                                                                                                                                                                                                  MD5:56884732C1B8ABCBA0A31746DF533D97
                                                                                                                                                                                                                                                                  SHA1:662FA5002ACCB46261763B57F6A772E0A2AA5DDF
                                                                                                                                                                                                                                                                  SHA-256:A6212DAAA9A377B202A9436D80AB97BC9B0050DC7E174FCD35F255B34500CFAB
                                                                                                                                                                                                                                                                  SHA-512:8D5817660238082002FB42447D3B614C5099C8C691D4D091BE54BDDC5958A854628083BCCA191E6E45C85E70A8C6DCB5D2CBB4E2A3E5D255F5695139347E539C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:PreVerCheck.exe

                                                                                                                                                                                                                                                                  C:\Windows\Temp\unpack\setup.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                  File Type:Generic INItialization configuration [REGPATH]
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1528
                                                                                                                                                                                                                                                                  Entropy (8bit):5.6192017888227515
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:Zem6aTKgWT8SoBz09LAjUeiKbd8fusQK5oqAeEVhqY0+c8Eo/VoijXOR+7G2eHNl:gi+Noh0dBeNbMoqvEV0Y0+bjjXD7FwNl
                                                                                                                                                                                                                                                                  MD5:FC5DE1FEA9170B61439922A367A12478
                                                                                                                                                                                                                                                                  SHA1:96941D31908B0CB49ADEABBDFCC43508F2B99B36
                                                                                                                                                                                                                                                                  SHA-256:087BA98D89B1E1366D04A909AC09D109BB80A872B6D5C38E29568DBEE5B116F1
                                                                                                                                                                                                                                                                  SHA-512:6423294E13EA896CE12E8369101CDEAF6EB467CC60A2852E5145BE12CD8EE1189A8508A59FAF504BB4BC90593F451EC09291662E6BD43438BBCAC57F2B69613B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[CUSTOMSETTING]..REGEXTSECT=Splashtop Remote Server for Business..INSTDRV=0x81..BASEDTYPE=1....[REGPATH]..NUM=2..REGPATH_01=Splashtop Remote Server..REGPATH_02=Splashtop Remote Server for Business....;Common..[REGISTRY]..CSRSMode=1..confirm_d=1..EnableNvFBC=@NO:0..EnableADEM=@NO:0....;STE..[REGISTRY_Splashtop Remote Server for Business]..EnableAutoUpgrade=0..CloudUserAgent=@SX:business..EnableIQSV=0..USERTRACK_NAME=@SO:SCRS00....[PREVERCHECK]..PRODUCTID={B7C5EA94-B96A-41F5-BE95-25D78B486678}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..PRODUCTNAME=Splashtop Streamer..SSUNAME=PROTOIRIS00..SSUPRODUCT=SVR..COMPATIBLE_NUM=4....[PREVERCHECKREG]..REGKEYPATH_NUM=2..REGKEYPATH_MAIN=0..REGKEYPATH_0=Splashtop Remote Server,1..REGKEYPATH_1=Splashtop Remote Server for Business,0....;ST2..[COMPATIBLE_0]..PRODUCTID={2EFEAD58-3311-4B2B-9D8A-8D663581D109}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..SSUNAME=PROTOIRIS00..FORCESTEMODE=0....;S4B Prodcut name with Splashtop Streamer for Busine

                                                                                                                                                                                                                                                                  C:\Windows\Temp\unpack\setup.msi

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Fri Oct 25 15:56:32 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.3;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):53071872
                                                                                                                                                                                                                                                                  Entropy (8bit):7.963230061374655
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:786432:6hz4O/nYOGmsUacI4fpY5sHEXQHYHiXJf/+21Uss+MxyvChQwGgudj/:g4ObGVUacXfXHEX2YHiAg7v+Mdj/
                                                                                                                                                                                                                                                                  MD5:33E6BF180DFDC83D8FE09F9ED2CB4912
                                                                                                                                                                                                                                                                  SHA1:657F5AB0681B5AEA27459CDA99D3C9C976AE72CD
                                                                                                                                                                                                                                                                  SHA-256:09988CCA8DA09D56FD13D2F7A8335245D23567CBA884925477849B605F20A464
                                                                                                                                                                                                                                                                  SHA-512:A1FB80F899086A263E3332D86A39ED49BE0D0598F2D5994828FDDF09012B39C2784DE95CE7238098ED6845450FE2BDE612DDD4BCF517EDA80B43C10D50E48738
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...................*...............8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...:...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                                                                  C:\Windows\Temp\unpack\uninst.iss

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):988
                                                                                                                                                                                                                                                                  Entropy (8bit):5.127699291644866
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:RjUcBbUcBIP+ijUcBIDQUcBIPEUcBIDv0zWatYh7+ifPcPvo7PZn+i4TjnPTvY:9UQUhGijU90UhMU9odOyifEIzZ+i4PPc
                                                                                                                                                                                                                                                                  MD5:5DBDCF8D475069C447F676D56327382B
                                                                                                                                                                                                                                                                  SHA1:08A0CA9150DCFA9D46370A340F000504D7772032
                                                                                                                                                                                                                                                                  SHA-256:EDAC85170F8B70F30E7F7080B34664B186B635520FFBC011CD9AB6257BAB78A8
                                                                                                                                                                                                                                                                  SHA-512:81CE6716D4F58CEA4194FA5FF42EE22C2D2686DD0A097DC384E797411587A2071A4070E3ECF5B7E9571FF5D29C2DFD0ED197B6890D70BDFECE376E7E0340CEE1
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:;Unistall..[{B7C5EA94-B96A-41F5-BE95-25D78B486678}-DlgOrder]..Dlg0={B7C5EA94-B96A-41F5-BE95-25D78B486678}-MessageBox-0..Count=2..Dlg1={B7C5EA94-B96A-41F5-BE95-25D78B486678}-SdFinish-0..[{B7C5EA94-B96A-41F5-BE95-25D78B486678}-MessageBox-0]..Result=6..[{B7C5EA94-B96A-41F5-BE95-25D78B486678}-SdFinish-0]..Result=1..bOpt1=0..bOpt2=0....;Unistall 140..[{9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-DlgOrder]..Dlg0={9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-MessageBox-0..Count=2..Dlg1={9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-SdFinish-0..[{9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-SdFinish-0]..Result=1..bOpt1=0..bOpt2=0..[{9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-MessageBox-0]..Result=6..[{94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-DlgOrder]..Dlg0={94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-MessageBox-0..Count=2..Dlg1={94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-SdFinish-0..[{94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-MessageBox-0]..Result=6..[{94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-SdFinish-0]..Result=1..bOpt1=0..bOpt2=0..

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\ISRT.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):437800
                                                                                                                                                                                                                                                                  Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                                                  MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                                                  SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                                                  SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                                                  SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\IsConfig.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):571
                                                                                                                                                                                                                                                                  Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                                                  MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                                                  SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                                                  SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                                                  SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\String1033.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):186494
                                                                                                                                                                                                                                                                  Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                                                  MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                                                  SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                                                  SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                                                  SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\_is34E4.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):183856
                                                                                                                                                                                                                                                                  Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                                                  MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                                                  SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                                                  SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\_isres_0x0409.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1864872
                                                                                                                                                                                                                                                                  Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                                                  MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                                                  SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                                                  SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                                                  SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{05510FEB-0C18-4F43-B58E-B2F6AABA3CF6}\setup.inx

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):353888
                                                                                                                                                                                                                                                                  Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                                                  MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                                                  SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                                                  SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                                                  SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\ISRT.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):437800
                                                                                                                                                                                                                                                                  Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                                                  MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                                                  SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                                                  SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                                                  SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\IsConfig.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):571
                                                                                                                                                                                                                                                                  Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                                                  MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                                                  SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                                                  SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                                                  SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\String1033.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):186494
                                                                                                                                                                                                                                                                  Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                                                  MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                                                  SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                                                  SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                                                  SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):183856
                                                                                                                                                                                                                                                                  Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                                                  MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                                                  SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                                                  SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isres_0x0409.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1864872
                                                                                                                                                                                                                                                                  Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                                                  MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                                                  SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                                                  SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                                                  SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\setup.inx

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):353888
                                                                                                                                                                                                                                                                  Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                                                  MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                                                  SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                                                  SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                                                  SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{5D77C7D0-2B42-43DD-B046-01569333E5F2}\ISRT.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):437800
                                                                                                                                                                                                                                                                  Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                                                  MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                                                  SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                                                  SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                                                  SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{5D77C7D0-2B42-43DD-B046-01569333E5F2}\IsConfig.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):571
                                                                                                                                                                                                                                                                  Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                                                  MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                                                  SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                                                  SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                                                  SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{5D77C7D0-2B42-43DD-B046-01569333E5F2}\String1033.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):186494
                                                                                                                                                                                                                                                                  Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                                                  MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                                                  SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                                                  SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                                                  SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{5D77C7D0-2B42-43DD-B046-01569333E5F2}\_isC1.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):183856
                                                                                                                                                                                                                                                                  Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                                                  MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                                                  SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                                                  SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{5D77C7D0-2B42-43DD-B046-01569333E5F2}\_isres_0x0409.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1864872
                                                                                                                                                                                                                                                                  Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                                                  MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                                                  SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                                                  SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                                                  SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{5D77C7D0-2B42-43DD-B046-01569333E5F2}\setup.inx

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):353888
                                                                                                                                                                                                                                                                  Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                                                  MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                                                  SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                                                  SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                                                  SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{82FADB0D-5306-40C4-9FEF-94CD304E5311}\Description.xml

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2374
                                                                                                                                                                                                                                                                  Entropy (8bit):5.66619220204628
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:3j9wrwgwzfy2wzcibOi2wzitw+53WgnJWwC5LDwhFTtw7NC0:2cRzfyLz9bOiLzl+53WgndphFu7Nv
                                                                                                                                                                                                                                                                  MD5:BD29ACF2C6B763E5398C71D360958C60
                                                                                                                                                                                                                                                                  SHA1:86FD0E905AF254E6209EC6F1888E7EBAE248D977
                                                                                                                                                                                                                                                                  SHA-256:1B90C8121D1D91FF3CF07A56F5E5FBC12DCCF9B09AE90984E171CFBF1F9E69CE
                                                                                                                                                                                                                                                                  SHA-512:1042B3344BBB482CC8C31936D5368B9B81F5BDC5335F81BCE49367F09514C13D427A05E04137EBFE0F18C7F99D8CAF6E4742DC3A6881D88004251A49DA896EFA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<Description Default="en">..<en Default="US">..<US>..Splashtop &lt;sup&gt;.&lt;/sup&gt; Remote Streamer for Microsoft Windows. A computer with the Splashtop Remote Desktop Server can receive connections from any device running Splashtop Remote Client...</US>..</en>..<de Default="DE">..<DE>..Splashtop &lt;sup&gt;.&lt;/sup&gt; Remote Streamer for Microsoft Windows. Ein Computer mit dem Splashtop Remote Desktop Server kann Verbindungen von jedem Ger.t empfangen, auf dem der Splashtop Remote Client l.uft...</DE>..</de>..<es Default="ES">..<ES>..Splashtop &lt;sup&gt;.&lt;/sup&gt; Remote Streamer for Microsoft Windows. Un equipo con Splashtop Remote Desktop Server puede recibir conexiones desde cualquier dispositivo que est. ejecutando Splashtop Remote Client...</ES>..</es>..<fr Default="FR">..<FR>..Splashtop &lt;sup&gt;.&lt;/sup&gt; Remote Streamer for Microsoft Windows. Un ordinateur avec Splashtop Remote Desktop Server peut recevoir des co

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{82FADB0D-5306-40C4-9FEF-94CD304E5311}\setup.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Generic INItialization configuration [REGPATH]
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1493
                                                                                                                                                                                                                                                                  Entropy (8bit):5.601665610962739
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:Zem6aTKNVASoBz09LAjUeiKbd8fusQK5oqAeEVhqY0+c8Eo/VoijXOR+7G2eHNhD:gPoh0dBeNbMoqvEV0Y0+bjjXD7FwNUQ
                                                                                                                                                                                                                                                                  MD5:5A9302AEA54E2C4341F2254E8E914271
                                                                                                                                                                                                                                                                  SHA1:DBD0D914EBAEF52B16E17092CC7DCCC31517797F
                                                                                                                                                                                                                                                                  SHA-256:F68C1CDA9475717430B6A3F0656085F8FB72CD3CAA66D048DE84F17CA7BE582E
                                                                                                                                                                                                                                                                  SHA-512:11552F3B66510AE76F715DB99F2A75A9D891DFA490E417C1230BBDFEDF348717FB143E773ABFA42BC3A109CCE6B3C1EBDE7ADA5E2103DB17D2B194398F6EE272
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[CUSTOMSETTING]..REGEXTSECT=Splashtop Remote Server for Business..INSTDRV=0x81..BASEDTYPE=1....[REGPATH]..NUM=2..REGPATH_01=Splashtop Remote Server..REGPATH_02=Splashtop Remote Server for Business....;Common..[REGISTRY]..CSRSMode=1..EnableNvFBC=0....;STE..[REGISTRY_Splashtop Remote Server for Business]..EnableAutoUpgrade=0..CloudUserAgent=@SX:business..EnableIQSV=0..USERTRACK_NAME=@SO:SCRS00....[PREVERCHECK]..PRODUCTID={B7C5EA94-B96A-41F5-BE95-25D78B486678}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..PRODUCTNAME=Splashtop Streamer..SSUNAME=PROTOIRIS00..SSUPRODUCT=SVR..COMPATIBLE_NUM=4....[PREVERCHECKREG]..REGKEYPATH_NUM=2..REGKEYPATH_MAIN=0..REGKEYPATH_0=Splashtop Remote Server,1..REGKEYPATH_1=Splashtop Remote Server for Business,0....;ST2..[COMPATIBLE_0]..PRODUCTID={2EFEAD58-3311-4B2B-9D8A-8D663581D109}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..SSUNAME=PROTOIRIS00..FORCESTEMODE=0....;S4B Prodcut name with Splashtop Streamer for Business..[COMPATIBLE_1]..PRODUCTID={73A1

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\ISRT.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):437800
                                                                                                                                                                                                                                                                  Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                                                  MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                                                  SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                                                  SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                                                  SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\IsConfig.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):571
                                                                                                                                                                                                                                                                  Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                                                  MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                                                  SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                                                  SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                                                  SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\String1033.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):186494
                                                                                                                                                                                                                                                                  Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                                                  MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                                                  SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                                                  SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                                                  SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\_is19F8.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):183856
                                                                                                                                                                                                                                                                  Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                                                  MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                                                  SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                                                  SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\_isres_0x0409.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1864872
                                                                                                                                                                                                                                                                  Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                                                  MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                                                  SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                                                  SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                                                  SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{B9BAB4A5-0A56-4A86-B2CC-F9AF047FA00F}\setup.inx

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):353888
                                                                                                                                                                                                                                                                  Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                                                  MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                                                  SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                                                  SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                                                  SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\ISRT.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):437800
                                                                                                                                                                                                                                                                  Entropy (8bit):7.973112188633512
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:lj90SzD7w142fX+Tz8uOoigpDgQ+o4io1AVmeF7+Vp6b4aFUQPy39/A1TM0nq52r:Ruo7/zz81oi6DgQ+poASaPzMUQM8MAoM
                                                                                                                                                                                                                                                                  MD5:85315AD538FA5AF8162F1CD2FCE1C99D
                                                                                                                                                                                                                                                                  SHA1:31C177C28A05FA3DE5E1F934B96B9D01A8969BBA
                                                                                                                                                                                                                                                                  SHA-256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
                                                                                                                                                                                                                                                                  SHA-512:877EB3238517EEB87C2A5D42839167E6C58F9CA7228847DB3D20A19FB13B176A6280C37DECDA676FA99A6CCF7469569DDC0974ECCF4AD67514FDEDF9E9358556
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y................PE..L.....a...........!.....|...@...............................................@......................................p...................h...............($...0.........8...................................................DU..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\IsConfig.ini

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Generic INItialization configuration [f9]
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):571
                                                                                                                                                                                                                                                                  Entropy (8bit):5.19171178659795
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:sWCV4ygUcBNTW5MtaxRjWIRLLN+eQ1LLmZLL7vLLB103e4ItDAdtDP4XMXLKxBoQ:sWCVQUxMk53p5tDutDQcLKxunLKxQto
                                                                                                                                                                                                                                                                  MD5:38370175CE7D8DD5C3581030A9104259
                                                                                                                                                                                                                                                                  SHA1:BBC1B4254C3E3DA692C2667B4C5092D687AD8DC9
                                                                                                                                                                                                                                                                  SHA-256:EE90CA3F30AA75FE1C3B095DDD2B24680BD3B081829094C18D9C78EBED206B83
                                                                                                                                                                                                                                                                  SHA-512:E11494869B04A2206D3DDA67411BE294106F6363408399D9363B27720C6FE88FD393AE90FC2AB7CD4909E940E98F273C8869532B65A1F0B0F4B8B18A24589748
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:[SetupDefaults]..LangID=1033..ProductCode={B7C5EA94-B96A-41F5-BE95-25D78B486678}..TempPathGuid={88EEE33A-4D48-40B0-8E6A-37FACF94ED89}..[f9]..Function=CA_ConflictCheck..[f6]..Function=CA_Finished..[f14]..Function=CA_Init..[f5]..Function=CA_InstDone..[f1]..Function=CA_InstSSU..[f3]..Function=CA_InstSrvAndDrv..[f10]..Function=CA_PostCleanup..[f13]..Function=CA_PreCleanup..[f7]..Function=CA_PreStopProcess..[f11]..Function=CA_StopProcess..[f8]..Function=CA_UIIsMaintenance..[f4]..Function=CA_UninstSSU..[f2]..Function=CA_UninstSrvAndDrv..[f12]..Function=CA_UpdateSetting..

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\String1033.txt

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (332), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):186494
                                                                                                                                                                                                                                                                  Entropy (8bit):3.661481208979177
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:gSeMLR6/K41+BrChTHB8Xd12hWA/z+wuUZU6rPsHnQvvOuyMJice1VOL27p3:gmLu1xTh84W9Coe2
                                                                                                                                                                                                                                                                  MD5:37A2C4EF0FF41955F1CB884B7790699F
                                                                                                                                                                                                                                                                  SHA1:8E7DAD0BC6AE65DFAEC9FC29D0EF6E260DD83E9D
                                                                                                                                                                                                                                                                  SHA-256:6B629FDF1520BA40BB0D7BC8D9A7BB231624FD190E03BCACC607F248222B3C63
                                                                                                                                                                                                                                                                  SHA-512:FB3A109395872E6F116A75B39566F4B9EFE0486512620DEB33EF83AC0AC3165D96DBEFBE3023ECE1D3D0D6BE7C8EB8ABB58DA90F01F225E1ED2D4ADD2B544D42
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:..C.O.M.P.A.N.Y._.N.A.M.E.=.S.p.l.a.s.h.t.o.p. .I.n.c.......D.N._.A.l.w.a.y.s.I.n.s.t.a.l.l.=.A.l.w.a.y.s. .I.n.s.t.a.l.l.....I.D.D.R.O.P._.S.R.S._.C.O.N.F.L.I.C.T.E.D.=.T.h.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.n.s.t.a.l.l.a.t.i.o.n. .o.n. .t.h.i.s. .c.o.m.p.u.t.e.r. .w.a.s. .f.a.i.l.e.d... .M.a.k.e. .s.u.r.e. .y.o.u.'.v.e. .u.n.i.n.s.t.a.l.l.e.d. .a.n.y. .p.r.e.v.i.o.u.s.l.y. .i.n.s.t.a.l.l.e.d. .s.o.f.t.w.a.r.e. .b.e.f.o.r.e. .i.n.s.t.a.l.l.i.n.g. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.C.R.O.B.A.T.5.F.O.L.D.E.R.=. . . .A.d.o.b.e. .A.c.r.o.b.a.t. .5. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.X.P.R.E.S.S._.L.A.U.N.C.H._.C.O.N.D.I.T.I.O.N._.A.D.O.B.E.R.E.A.D.E.R.1.0.F.O.L.D.E.R.=.A.d.o.b.e. .R.e.a.d.e.r. .1.0. .n.e.e.d.s. .t.o. .b.e. .i.n.s.t.a.l.l.e.d. .f.o.r. .t.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .t.o. .c.o.n.t.i.n.u.e.......I.D.P.R.O.P._.E.

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\_isA7F2.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):183856
                                                                                                                                                                                                                                                                  Entropy (8bit):5.777994123339856
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:MIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYjdeZ2bgA/qVzs:AUn0mT8Sc/T4F1bpxg8z
                                                                                                                                                                                                                                                                  MD5:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  SHA1:3C23414AE545D2087E5462A8994D2B87D3E6D9E2
                                                                                                                                                                                                                                                                  SHA-256:E46C768950AAD809D04C91FB4234CB4B2E7D0B195F318719A71E967609E3BBED
                                                                                                                                                                                                                                                                  SHA-512:BBEC114913BC2F92E8DE7A4DD9513BFF31F6B0EF4872171B9B6B63FEF7FAA363CF47E63E2D710DD32E9FC84C61F828E0FAE3D48D06B76DA023241BEE9D4A6327
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...d.a.........."......X...v.................@....................................s{....`..................................................J..........`.......$.......0$..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\_isres_0x0409.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1864872
                                                                                                                                                                                                                                                                  Entropy (8bit):5.69189927762803
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:ds4d9dfaOdWJIApJCPtjvntnSb8COevQonCLPub+7NPS:dhrWiADCPtjvntnSb8COevQonCftS
                                                                                                                                                                                                                                                                  MD5:BEFE2EF369D12F83C72C5F2F7069DD87
                                                                                                                                                                                                                                                                  SHA1:B89C7F6DA1241ED98015DC347E70322832BCBE50
                                                                                                                                                                                                                                                                  SHA-256:9652FFAE3F5C57D1095C6317AB6D75A9C835BB296E7C8B353A4D55D55C49A131
                                                                                                                                                                                                                                                                  SHA-512:760631B05EF79C308570B12D0C91C1D2A527427D51E4E568630E410B022E4BA24C924D6D85BE6462BA7F71B2F0BA05587D3EC4B8F98FCDB8BB4F57949A41743B
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...4..a...........!.........................................................p......Q<.......................................@..(....P..9...........pP..8$...@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...9....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\{FEBDD9EF-BE90-4DAE-82FA-DBB25B423142}\setup.inx

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):353888
                                                                                                                                                                                                                                                                  Entropy (8bit):7.39949998550144
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:jfLdZMDVq3/HvkZe6hTYYmWyQ98js8sNWo2vBg3vu:jzsDVq3/HB6hzyIhUfvBF
                                                                                                                                                                                                                                                                  MD5:0376DD5B7E37985EA50E693DC212094C
                                                                                                                                                                                                                                                                  SHA1:02859394164C33924907B85AB0AADDC628C31BF1
                                                                                                                                                                                                                                                                  SHA-256:C9E6AF6FB0BDBEB532E297436A80EB92A2FF7675F9C777C109208EE227F73415
                                                                                                                                                                                                                                                                  SHA-512:69D79D44908F6305EEE5D8E6F815A0FEE0C6D913F4F40F0C2C9F2F2E50F24BF7859EBE12C85138D971E5DB95047F159F077AE687989B8588F76517CAB7D3E0D5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aD%mQ.Y]A..M1...!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.......................e.......G.....v.@....qeymee1m.......c.)!!.)g..?.....K.7.+.OH..... .D@..0....e..dXH......P..(..]UU-]......kS.kk.....C.WO7'.[.<X44....,..$.8... ...}..\......@.5km!U.gL.8..g....-....._..k#+G##.LP8.H.@......0...T.......Y..D.........1II.1.o.s..Cg..G.....O.Og.CL<L.P.......p.d$........Y..L......<.. ...III.1..k_.....o.oGO?.....H.,@.X.P. ......p..,...\......m..<.....]YMEE.M..w[..[..{os.....O.C_G.t$l.D8\..........,.......}..]..`.........)5M.5.o.W_...sO3.SGk....h$.`,...4.L.$.<..........@...d...e}}1e.D.....o...S)!!.)g.GsK?..0.....#.h$P(.\\...........x(..am.I...p....H.......=9.!S3.wgksK.......3[C ......(.......,...........q.ayyaa.YQQYYc9E%11%9._.......W{7;wSo.......`(h<......L.4..........ay.q...a}Qii]Q....5MM!5.wSl.-.....w'.+k3/..+d.....

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF0AD906725BDA9064.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF0B1F83CB212A9075.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                                                                                                  Entropy (8bit):1.562242566196661
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:b8PhluRc06WXJ0FT5p55dqISoedGPdGfosbrnStedGPdGRub1n:Chl13FTJ5AISox
                                                                                                                                                                                                                                                                  MD5:25ADC1A461C2CBEB173BC3F6ABC3FA21
                                                                                                                                                                                                                                                                  SHA1:57D108D26EAFA085B2A61FAD93362DDFC80CE293
                                                                                                                                                                                                                                                                  SHA-256:19BB0FF07E836739AAE4D04274F86A77B503C063199ACB3EEC4CB03E76A44D48
                                                                                                                                                                                                                                                                  SHA-512:5858F536A6FB25E56B48AAEE77337589842537A19A8D49EB2A5F3F61810DD7D1B45474CFC72894C6ECA69E5B4D05B077F534969F8B72107F17608721A51C4810
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0B1F83CB212A9075.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0B1F83CB212A9075.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0B1F83CB212A9075.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF1EF693B4B0B2A620.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):147456
                                                                                                                                                                                                                                                                  Entropy (8bit):3.0952190232289283
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:zh4RObDBZ84vjMgtjDDtgVPpSu7b5Ok5oFo0ARObDBZ84vjMgtjDDtgVPpSu7b5G:N4oDkfsKPpSuyRAoDkfsKPpSuy
                                                                                                                                                                                                                                                                  MD5:69B7279BE14791942219F6351508388E
                                                                                                                                                                                                                                                                  SHA1:E4FEDF0D1010258E19CC3E09A4C5DECCBBDFCCB1
                                                                                                                                                                                                                                                                  SHA-256:AFF6D001C6DD0F564B99B40BBEEDF45FB3247923E8EF15A49ED87F840C1C45DD
                                                                                                                                                                                                                                                                  SHA-512:7319BDED4BBB243F60C7E8C3439DCCED407A6657D4CC70984D8AF26294EF8638E955D87D3FAA11097C0370027085893A028B01B8FEFA1415E2F4154F0BD2AE6C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF22746CA774A1854A.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF25E014B23078E756.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                                                  Entropy (8bit):0.06933201620126776
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOIs5NIHyVky6l3X:2F0i8n0itFzDHFn5M3X
                                                                                                                                                                                                                                                                  MD5:438749DCD9BBCBD624A65EB931FA6B22
                                                                                                                                                                                                                                                                  SHA1:2E2C214F75C4B246EB5D3234E68B0BFBACDDEB83
                                                                                                                                                                                                                                                                  SHA-256:E093D36BADA641936E07B290753CC5CF25FF004DDEFF29BC2E36FCFE70076F11
                                                                                                                                                                                                                                                                  SHA-512:726AE40DF0902441EB19B7B3387E48E5B7BBB616BFE4D2333347C57FF68532B95C2CDA173D66C52C3BB383AA8A84FE5BDB96C36FF0374839546374FEA2BAD1E9
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF34C6AB6AD4D1677B.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                                                  Entropy (8bit):1.2510977359326199
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:uJgduksPveFXJpT5p55dqISoedGPdGfosbrnStedGPdGRub1n:NdrRTJ5AISox
                                                                                                                                                                                                                                                                  MD5:220C81B2F324D06B0C488092CDE52513
                                                                                                                                                                                                                                                                  SHA1:8BA2E73F333E41CA60D99DE24D9ACAC5449272BA
                                                                                                                                                                                                                                                                  SHA-256:D4FF8D3824F5943CFCDA43BA05B30C409B2E2C6863142BA68817364EDC33D17D
                                                                                                                                                                                                                                                                  SHA-512:F78AB6962C12D3695F2515D7BD24907438693FF9F924C918AA46DC8D81C2CD187AB82C4C7C0751412EDF3C3622669C242D198A04DDB9F54FE130DA7B6C03A322
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF34C6AB6AD4D1677B.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF34C6AB6AD4D1677B.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF34C6AB6AD4D1677B.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF3BC903EF911773B0.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                                                                                                  Entropy (8bit):1.303094966705216
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JFO38PhMuh3iFip1GE2yza2t4KAQBHodagUMClXte6A+oAWS++jXwZymiL:c8PhMuRc06WXOCnT5QXAWStXwZy9
                                                                                                                                                                                                                                                                  MD5:6D0B4EB6984390DEEF2A45984C11AAAD
                                                                                                                                                                                                                                                                  SHA1:6BACD89B07EDF8F32D46187671017A6F74399D4E
                                                                                                                                                                                                                                                                  SHA-256:16612058467A45575C6F0038B2A0175E89F687B8C1127F15510CB0CB83C624FA
                                                                                                                                                                                                                                                                  SHA-512:57EA9CF23BD1A43222F3A67B33B245003C20F23E62B87F7E671F4FC38F662575EC12CDAAB8661D280E51B89C72DFC31ECD930F9F0DC88A1E34902B883CE9F9A4
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF50CBFC3E60B6BE3D.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF56239AF8C5925886.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):147456
                                                                                                                                                                                                                                                                  Entropy (8bit):3.0952190232289283
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:zh4RObDBZ84vjMgtjDDtgVPpSu7b5Ok5oFo0ARObDBZ84vjMgtjDDtgVPpSu7b5G:N4oDkfsKPpSuyRAoDkfsKPpSuy
                                                                                                                                                                                                                                                                  MD5:69B7279BE14791942219F6351508388E
                                                                                                                                                                                                                                                                  SHA1:E4FEDF0D1010258E19CC3E09A4C5DECCBBDFCCB1
                                                                                                                                                                                                                                                                  SHA-256:AFF6D001C6DD0F564B99B40BBEEDF45FB3247923E8EF15A49ED87F840C1C45DD
                                                                                                                                                                                                                                                                  SHA-512:7319BDED4BBB243F60C7E8C3439DCCED407A6657D4CC70984D8AF26294EF8638E955D87D3FAA11097C0370027085893A028B01B8FEFA1415E2F4154F0BD2AE6C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF6E3D7E8602510BDD.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF761CCED7FD57F589.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                                                  Entropy (8bit):1.278658792229478
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:DOLuXvh8FXzdT5bKqmdXynE5SjndddwEqdGUDj0bQiSsndddSE8ly:yLBjTVKqqCnE5f3DoNaE
                                                                                                                                                                                                                                                                  MD5:72FF3EB2F3C670D56CDE38C4BFA08F58
                                                                                                                                                                                                                                                                  SHA1:F001567FD77106D3FFC25833C816DAD2A57030A0
                                                                                                                                                                                                                                                                  SHA-256:A2D3D16BBC6EC8A1854A330908659F9783C0CD512FFB1683E3C1AA75090403D2
                                                                                                                                                                                                                                                                  SHA-512:3CD8D0E696C667810168DEB759B5F280CA490109B01B1713752C34131501C60EC4DE33B00938EFE87D2BC199C2B118DECC08E0A950DB653ABD59D307B864D9F7
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF761CCED7FD57F589.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF761CCED7FD57F589.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF83D4A5F6A0C4A2BD.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF87B49D07C30BE433.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                                                                                                  Entropy (8bit):1.562242566196661
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:b8PhluRc06WXJ0FT5p55dqISoedGPdGfosbrnStedGPdGRub1n:Chl13FTJ5AISox
                                                                                                                                                                                                                                                                  MD5:25ADC1A461C2CBEB173BC3F6ABC3FA21
                                                                                                                                                                                                                                                                  SHA1:57D108D26EAFA085B2A61FAD93362DDFC80CE293
                                                                                                                                                                                                                                                                  SHA-256:19BB0FF07E836739AAE4D04274F86A77B503C063199ACB3EEC4CB03E76A44D48
                                                                                                                                                                                                                                                                  SHA-512:5858F536A6FB25E56B48AAEE77337589842537A19A8D49EB2A5F3F61810DD7D1B45474CFC72894C6ECA69E5B4D05B077F534969F8B72107F17608721A51C4810
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF87B49D07C30BE433.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF97C3D8010D0D80E7.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF9E3106EBFEFF2114.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):69632
                                                                                                                                                                                                                                                                  Entropy (8bit):0.1417960128184121
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:CnVubmStedGPdGeqISoedGPdGfosbrYf5:icyLITB
                                                                                                                                                                                                                                                                  MD5:615FC9C25488905E39BBD8CCF7004017
                                                                                                                                                                                                                                                                  SHA1:456FA5FB555A3E344926F56517E250A3C2ED5732
                                                                                                                                                                                                                                                                  SHA-256:B45AE95147074C8C1A3CFE01839DACEBF7364AB77C1AA1C3AA4AA84B705216F4
                                                                                                                                                                                                                                                                  SHA-512:BDE0201B213C4A613904B2BE2B4236B5001A9874B8386178B06067EE0B4CF9D75D4ACF8D406C447F71DE4406A8BA0F122CF322035F746728D04A4A57B530F1FB
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9E3106EBFEFF2114.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DF9F6DA2438C4E51AF.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFA74D16A6223BC659.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFA75076AEA59FC335.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFAA95A56885A9F07A.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFBF60562B16A39665.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                                                  Entropy (8bit):0.07171961881936036
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO4Iy9aaEwM0B+XM1gVky6lit/:2F0i8n0itFzDHF9y9azuB+Xuit/
                                                                                                                                                                                                                                                                  MD5:219A2D3AA54984EC35D254806AE184A1
                                                                                                                                                                                                                                                                  SHA1:9809638060CAF679B703B6300623623E38D847D0
                                                                                                                                                                                                                                                                  SHA-256:ABCC1B9B657E1A37BB3ADFF460B4D889B7773AD93095B5B4F9D6724679738299
                                                                                                                                                                                                                                                                  SHA-512:76894AFB50AC304D5CA1B2559D9416C2D0E8BFB9DD414A78D74A9FC06A01735AA3C3A64F821E87827D918B06589C5844DEB540D11DA765EAC9B98415071968ED
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFC4F3156EFB829EDF.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81920
                                                                                                                                                                                                                                                                  Entropy (8bit):0.13658194394399611
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:KyuBEuSsndddPSjndddwEqdGUDj0bQAw2dXy0q:Puv9f3Dohw6C0q
                                                                                                                                                                                                                                                                  MD5:4A6758441A46735B236497EDF1ADF992
                                                                                                                                                                                                                                                                  SHA1:2DBFE8B90DA452318D5124535B74F1CECAE6682B
                                                                                                                                                                                                                                                                  SHA-256:ED81C4D7C69A9E6CB4E307DD48733B40261119D73246FEB367AF1D92F9FCBA85
                                                                                                                                                                                                                                                                  SHA-512:F089789BABF5A28ADF7240407E93BBD6B90969A2199BA95B5D50050704FC352FA6D57909BD5BE66F80445D43F76C4816D1DE877EB1913A37B1A68FE643472D0C
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC4F3156EFB829EDF.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFCC0B1DF6D9E3CB35.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):147456
                                                                                                                                                                                                                                                                  Entropy (8bit):3.0952190232289283
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:zh4RObDBZ84vjMgtjDDtgVPpSu7b5Ok5oFo0ARObDBZ84vjMgtjDDtgVPpSu7b5G:N4oDkfsKPpSuyRAoDkfsKPpSuy
                                                                                                                                                                                                                                                                  MD5:69B7279BE14791942219F6351508388E
                                                                                                                                                                                                                                                                  SHA1:E4FEDF0D1010258E19CC3E09A4C5DECCBBDFCCB1
                                                                                                                                                                                                                                                                  SHA-256:AFF6D001C6DD0F564B99B40BBEEDF45FB3247923E8EF15A49ED87F840C1C45DD
                                                                                                                                                                                                                                                                  SHA-512:7319BDED4BBB243F60C7E8C3439DCCED407A6657D4CC70984D8AF26294EF8638E955D87D3FAA11097C0370027085893A028B01B8FEFA1415E2F4154F0BD2AE6C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFCF1092791622F686.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFD7CE1361C4B2B636.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                                                  Entropy (8bit):1.2510977359326199
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:uJgduksPveFXJpT5p55dqISoedGPdGfosbrnStedGPdGRub1n:NdrRTJ5AISox
                                                                                                                                                                                                                                                                  MD5:220C81B2F324D06B0C488092CDE52513
                                                                                                                                                                                                                                                                  SHA1:8BA2E73F333E41CA60D99DE24D9ACAC5449272BA
                                                                                                                                                                                                                                                                  SHA-256:D4FF8D3824F5943CFCDA43BA05B30C409B2E2C6863142BA68817364EDC33D17D
                                                                                                                                                                                                                                                                  SHA-512:F78AB6962C12D3695F2515D7BD24907438693FF9F924C918AA46DC8D81C2CD187AB82C4C7C0751412EDF3C3622669C242D198A04DDB9F54FE130DA7B6C03A322
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD7CE1361C4B2B636.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFD8DCFFD735C6E6BF.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                                                  Entropy (8bit):1.2510977359326199
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:uJgduksPveFXJpT5p55dqISoedGPdGfosbrnStedGPdGRub1n:NdrRTJ5AISox
                                                                                                                                                                                                                                                                  MD5:220C81B2F324D06B0C488092CDE52513
                                                                                                                                                                                                                                                                  SHA1:8BA2E73F333E41CA60D99DE24D9ACAC5449272BA
                                                                                                                                                                                                                                                                  SHA-256:D4FF8D3824F5943CFCDA43BA05B30C409B2E2C6863142BA68817364EDC33D17D
                                                                                                                                                                                                                                                                  SHA-512:F78AB6962C12D3695F2515D7BD24907438693FF9F924C918AA46DC8D81C2CD187AB82C4C7C0751412EDF3C3622669C242D198A04DDB9F54FE130DA7B6C03A322
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD8DCFFD735C6E6BF.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD8DCFFD735C6E6BF.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFDC92CD55C6FA7A6C.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                                                                                  Entropy (8bit):0.07957035983066839
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOxgIYqICN/K9IKLIUSVky6l/X:2F0i8n0itFzDHFxgIjNxKR/X
                                                                                                                                                                                                                                                                  MD5:C584EBAB63FADE959CA713DE5E61B9FE
                                                                                                                                                                                                                                                                  SHA1:04626806B95D1B8C9B3212C646EA715217A95E6A
                                                                                                                                                                                                                                                                  SHA-256:324A20E8D4B0FD8D553397ECEA4877E20BB7B1DC2B709BAB914AD75C11BEAE5D
                                                                                                                                                                                                                                                                  SHA-512:F3633B74C48AEE72D5F5AC77F2A2D15FF86922026FEF75DC5087A60BCB83935B7E4FA5CD56207B3F120B5A21495BA25472597CFCEBE30EDAAF550644EF97FACA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFDFFBF0E28EF9C487.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):512
                                                                                                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3::
                                                                                                                                                                                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFF3FFBEDE96B1D250.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):147456
                                                                                                                                                                                                                                                                  Entropy (8bit):3.0952190232289283
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:zh4RObDBZ84vjMgtjDDtgVPpSu7b5Ok5oFo0ARObDBZ84vjMgtjDDtgVPpSu7b5G:N4oDkfsKPpSuyRAoDkfsKPpSuy
                                                                                                                                                                                                                                                                  MD5:69B7279BE14791942219F6351508388E
                                                                                                                                                                                                                                                                  SHA1:E4FEDF0D1010258E19CC3E09A4C5DECCBBDFCCB1
                                                                                                                                                                                                                                                                  SHA-256:AFF6D001C6DD0F564B99B40BBEEDF45FB3247923E8EF15A49ED87F840C1C45DD
                                                                                                                                                                                                                                                                  SHA-512:7319BDED4BBB243F60C7E8C3439DCCED407A6657D4CC70984D8AF26294EF8638E955D87D3FAA11097C0370027085893A028B01B8FEFA1415E2F4154F0BD2AE6C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFF7B70509B824DA36.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):20480
                                                                                                                                                                                                                                                                  Entropy (8bit):1.303094966705216
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JFO38PhMuh3iFip1GE2yza2t4KAQBHodagUMClXte6A+oAWS++jXwZymiL:c8PhMuRc06WXOCnT5QXAWStXwZy9
                                                                                                                                                                                                                                                                  MD5:6D0B4EB6984390DEEF2A45984C11AAAD
                                                                                                                                                                                                                                                                  SHA1:6BACD89B07EDF8F32D46187671017A6F74399D4E
                                                                                                                                                                                                                                                                  SHA-256:16612058467A45575C6F0038B2A0175E89F687B8C1127F15510CB0CB83C624FA
                                                                                                                                                                                                                                                                  SHA-512:57EA9CF23BD1A43222F3A67B33B245003C20F23E62B87F7E671F4FC38F662575EC12CDAAB8661D280E51B89C72DFC31ECD930F9F0DC88A1E34902B883CE9F9A4
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\Temp\~DFFE03C78BDD1A9C78.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):172032
                                                                                                                                                                                                                                                                  Entropy (8bit):2.4610421709668384
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:hARObDBZ84vjMgtjDDtgVPpSu7b5Ok5oF4RObDBZ84vjMgtjDDtgVPpSu7b5Ok5v:hAoDkfsKPpSuyGoDkfsKPpSuy
                                                                                                                                                                                                                                                                  MD5:DF0A0B144FBAF4F12FD083356CC875B9
                                                                                                                                                                                                                                                                  SHA1:889C17FE0714BC05335410C24001E6810EB10C5A
                                                                                                                                                                                                                                                                  SHA-256:9EA67185B129F76CD1E23F9A0C1D43DD6C41AE7A3A21C0E507A4233ACBFEDCB8
                                                                                                                                                                                                                                                                  SHA-512:FCB3DF0B7362A19DCED9D55CCA9CEE8FC97D74CA65F631172D2FE4A9A9A620CD9C9ABCE8419635C46C70A64D78D271D9DEB7140BF22F2A211A7A85C5325CCC66
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Windows\system32\SRCredentialProvider.dll (copy)

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):326664
                                                                                                                                                                                                                                                                  Entropy (8bit):6.273611352763876
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:gpWGtJblMMuWntMAHeVQHe3lPpAyQ4L/8mJEDJnMihRD+ae7/lXCU:tGtJblMMuWntyxOyQ4LkIyxypCU
                                                                                                                                                                                                                                                                  MD5:D2A501F07C9F9373F11CC89FB2D49D8C
                                                                                                                                                                                                                                                                  SHA1:37EAADAF61D2CBE697F1C454640F9E04F4CD2D16
                                                                                                                                                                                                                                                                  SHA-256:A25A7C80A4BD007248306E02FBC10436885C64CC70A40433143BC82C641D3480
                                                                                                                                                                                                                                                                  SHA-512:B20727B34287D5877D94963B08F520E586C2A66A39631C768CF2F6ACA31959DFB2711C8043E71DA4FA8A00DF039E886D30B0D7DC2E85FEFC68E99761F3945B54
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..............].......j.......j.......j...............j.......j.......j...............j......Rich....................PE..d......e.........." ................<........................................@............@..........................................p..w....^....... ...........6.......(...0...... ...................................................(............................text...>~.......................... ..`.rdata..G...........................@..@.data....[.......&...f..............@....pdata...6.......8..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  \Device\ConDrv

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4
                                                                                                                                                                                                                                                                  Entropy (8bit):2.0
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Cy:Cy
                                                                                                                                                                                                                                                                  MD5:17C47928D1BA7ECB789EE3E4E7BB61A4
                                                                                                                                                                                                                                                                  SHA1:58836A68D7DA82082C676A5E1F5BC33F2A8CADF0
                                                                                                                                                                                                                                                                  SHA-256:42A3ABE36D8E5C5CB6123D9DA9ADB152C87AD6E08CB6327BB5405A8E297635E4
                                                                                                                                                                                                                                                                  SHA-512:EF35FF11C834B9F6696C0EB1FA3F32A3DAE4C304AB872E2A5357D539DDA15C3AC7BD618B5AE8628BCF42BC9B47AFE0C6796816318B2E10B8378EDAFD953EE336
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                                                                                  Preview:52..

                                                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                  Entropy (8bit):7.878665058716973
                                                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                                                  • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                                                  • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                                                  File name:Le55bnMCON.msi
                                                                                                                                                                                                                                                                  File size:2'994'176 bytes
                                                                                                                                                                                                                                                                  MD5:6e58d9af76a06f068fc49d0f5f895966
                                                                                                                                                                                                                                                                  SHA1:6eaf5813536f716cab6ccdda47e8f0beaa74b30c
                                                                                                                                                                                                                                                                  SHA256:b8788ba7d7d7f8fce00f8446b778b9f9b9852e4ec2f3766d6e32c68b50950899
                                                                                                                                                                                                                                                                  SHA512:4d314dcc18f09ce95453470101efc55e690657e2288728839f04d7060a1f767a4be0d1b48cc0a980979d35c440144cc2cbffd767732b19e4af4c5333a8fc93e9
                                                                                                                                                                                                                                                                  SSDEEP:49152:1+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:1+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                  TLSH:A5D523117584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                                                  Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                                                  Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                                                  Start time:07:54:32
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Le55bnMCON.msi"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff698dd0000
                                                                                                                                                                                                                                                                  File size:69'632 bytes
                                                                                                                                                                                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                                                                                                  Start time:07:54:32
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                  Imagebase:0x7ff698dd0000
                                                                                                                                                                                                                                                                  File size:69'632 bytes
                                                                                                                                                                                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                                                                                                  Start time:07:54:33
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding CAAC4898E5F21B8FF741540F3B0CAAB6
                                                                                                                                                                                                                                                                  Imagebase:0x7b0000
                                                                                                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                                                                                                  Start time:07:54:33
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSIE0CD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7135531 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                                                  Imagebase:0xac0000
                                                                                                                                                                                                                                                                  File size:61'440 bytes
                                                                                                                                                                                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000003.00000003.1809738097.0000000004A18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                                                                                                  Start time:07:54:33
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSIE39D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7136187 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                                                  Imagebase:0xac0000
                                                                                                                                                                                                                                                                  File size:61'440 bytes
                                                                                                                                                                                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1861868953.0000000004A84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1861868953.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1819796804.00000000044E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                                                                                  Start time:07:54:38
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSIF6F7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7141140 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                                                  Imagebase:0xac0000
                                                                                                                                                                                                                                                                  File size:61'440 bytes
                                                                                                                                                                                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1864689254.0000000004669000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                                                                                                  Start time:07:54:39
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding CA6DBA366017891C5744CC4FCFEFE125 E Global\MSI0000
                                                                                                                                                                                                                                                                  Imagebase:0x7b0000
                                                                                                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                                                                                  Start time:07:54:39
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                                                  Imagebase:0xa20000
                                                                                                                                                                                                                                                                  File size:47'104 bytes
                                                                                                                                                                                                                                                                  MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                                                                                  Start time:07:54:39
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                                                                                  Start time:07:54:39
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                                                  Imagebase:0x580000
                                                                                                                                                                                                                                                                  File size:139'776 bytes
                                                                                                                                                                                                                                                                  MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                                                                                  Start time:07:54:39
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                                                  Imagebase:0xb50000
                                                                                                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                                                                                  Start time:07:54:39
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                                                                                                  Start time:07:54:40
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="shyam@telcoict.com.au" /CompanyId="22" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="21" /AccountId="0013z00002eDbtlAAC" /AgentId="fbcf2d79-fde9-446f-9db8-b915db64fdfb"
                                                                                                                                                                                                                                                                  Imagebase:0x25da9b70000
                                                                                                                                                                                                                                                                  File size:145'968 bytes
                                                                                                                                                                                                                                                                  MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923621881.0000025DAB86C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923621881.0000025DAB7B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1924284253.0000025DC4033000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923621881.0000025DAB7A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1922775108.0000025DA9C80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923621881.0000025DAB7A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923621881.0000025DAB77C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1924284253.0000025DC3F50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1924284253.0000025DC401D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923621881.0000025DAB779000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1922878127.0000025DA9CC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1926114762.00007FFD9B314000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923621881.0000025DAB7AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923621881.0000025DAB822000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000000.1884188018.0000025DA9B72000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1922964501.0000025DA9CE1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923212837.0000025DA9D76000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1923621881.0000025DAB6F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1922878127.0000025DA9CCC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1924960432.0000025DC4240000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1922964501.0000025DA9CED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1925310996.0000025DC43AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                                                                                  • Detection: 21%, ReversingLabs
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                                                                                                  Start time:07:54:44
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff70f330000
                                                                                                                                                                                                                                                                  File size:145'968 bytes
                                                                                                                                                                                                                                                                  MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2386760973.000001E7F3650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2382135962.000001E7F2370000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2391825905.000001E7F3794000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E78006E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2397705041.000001E7F3B7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2380145583.000001E7F211E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E7801DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2386760973.000001E7F36D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E7803CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E7802A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2380145583.000001E7F20E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2380145583.000001E7F216D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E7802F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E78029E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2362532887.00000028B39E5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2386760973.000001E7F3729000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E780387000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2386760973.000001E7F3692000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396363552.000001E7F3AF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2391825905.000001E7F3782000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E780390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2384334256.000001E7F32C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E780148000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E78042A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2384334256.000001E7F3355000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E78028C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2381864614.000001E7F21E0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E7805E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E780001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E780340000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364755560.000001E78042D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                                                                                                  Start time:07:54:44
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6fd190000
                                                                                                                                                                                                                                                                  File size:72'192 bytes
                                                                                                                                                                                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                                                                                                  Start time:07:54:44
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                                                                                                  Start time:07:54:45
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:rundll32.exe "C:\Windows\Installer\MSI1021.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7147593 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                                                  Imagebase:0xac0000
                                                                                                                                                                                                                                                                  File size:61'440 bytes
                                                                                                                                                                                                                                                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1981482959.0000000004341000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1981482959.00000000043E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000003.1928739816.00000000041FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                                                                                                  Start time:07:54:54
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "29190784-5aaf-4974-b188-2285218acd1a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 0013z00002eDbtlAAC
                                                                                                                                                                                                                                                                  Imagebase:0x24228670000
                                                                                                                                                                                                                                                                  File size:177'712 bytes
                                                                                                                                                                                                                                                                  MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2045666683.00000242288C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2047468417.0000024241840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2045722726.0000024228935000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000000.2022046349.0000024228672000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2046686892.0000024229181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2046686892.00000242291F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2045722726.000002422896E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2045722726.00000242288E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2046686892.0000024229203000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2046334309.0000024228F92000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2045722726.0000024228920000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                                                                                                  Start time:07:54:54
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                                                                                                  Start time:07:54:58
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "7ca2a215-f328-4822-895f-4d13156421e8" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 0013z00002eDbtlAAC
                                                                                                                                                                                                                                                                  Imagebase:0x24ad6ef0000
                                                                                                                                                                                                                                                                  File size:177'712 bytes
                                                                                                                                                                                                                                                                  MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2069210697.0000024AD707B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2069210697.0000024AD7040000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071640791.0000024AD7813000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071640791.0000024AD7803000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071640791.0000024AD7791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2069210697.0000024AD7049000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2069210697.0000024AD70C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071607928.0000024AD73F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                                                                                                  Start time:07:54:58
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                                                                                                  Start time:07:54:58
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                                                  Imagebase:0x19bb5210000
                                                                                                                                                                                                                                                                  File size:145'968 bytes
                                                                                                                                                                                                                                                                  MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3058266535.0000019BB5444000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3058266535.0000019BB543E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3104741258.0000019BCE7C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB6921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3109272217.0000019BCED66000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3104741258.0000019BCE796000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3104741258.0000019BCE80A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB692E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB6936000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB696A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3060869735.0000019BB5B1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3058266535.0000019BB5400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB690D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3053597971.00000077A94F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB660B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3058266535.0000019BB548D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB6641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3058027319.0000019BB52C0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3104741258.0000019BCE7B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB66CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB66BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3104741258.0000019BCE780000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB692A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB6722000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB5C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3104741258.0000019BCE838000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3109272217.0000019BCED6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB5D3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3109272217.0000019BCED79000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3060664134.0000019BB5600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB5C88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3108402911.0000019BCE930000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB6854000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3109272217.0000019BCED53000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB657F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB68CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3060869735.0000019BB5BFD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3060869735.0000019BB5B5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.3063168617.0000019BB5E24000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                                                                                                  Start time:07:54:59
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6fd190000
                                                                                                                                                                                                                                                                  File size:72'192 bytes
                                                                                                                                                                                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:26
                                                                                                                                                                                                                                                                  Start time:07:54:59
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:27
                                                                                                                                                                                                                                                                  Start time:07:54:59
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "96b12e79-6bed-4b62-b87d-6860669b7bcc" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 0013z00002eDbtlAAC
                                                                                                                                                                                                                                                                  Imagebase:0x1e023950000
                                                                                                                                                                                                                                                                  File size:177'712 bytes
                                                                                                                                                                                                                                                                  MD5 hash:31DEF444E6135301EA3C38A985341837
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E0244E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2328116682.000001E023B00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2347191347.000001E03CC27000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2330427171.000001E023C20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2328116682.000001E023B09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E0244EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2328116682.000001E023B1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E0244AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E024517000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E024383000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2328116682.000001E023B46000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2328116682.000001E023B3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2328116682.000001E023B84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E024589000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E024453000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2345160443.000001E03CB80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E0244B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E02451B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2347851397.000001E03CC80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001B.00000002.2331883603.000001E0242F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                                                                                                  Start time:07:54:59
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                                                                                                  Start time:07:55:00
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6fbf30000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2205414780.000001C5C146C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2205414780.000001C5C1460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2205875034.000001C5C1560000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000003.2082753921.000001C5C1580000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2205414780.000001C5C1483000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                                                                                                  Start time:07:55:00
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                                                                                                  Start time:07:55:00
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                                                  Imagebase:0x7ff73e0b0000
                                                                                                                                                                                                                                                                  File size:161'280 bytes
                                                                                                                                                                                                                                                                  MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2197804094.000002ED7D4D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                                                                                                  Start time:07:55:02
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                                                  Imagebase:0x7ff64dd90000
                                                                                                                                                                                                                                                                  File size:4'630'384 bytes
                                                                                                                                                                                                                                                                  MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:33
                                                                                                                                                                                                                                                                  Start time:07:55:02
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "d85a67d4-12c7-47c2-9a5a-d8a5311da246" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 0013z00002eDbtlAAC
                                                                                                                                                                                                                                                                  Imagebase:0x278c4620000
                                                                                                                                                                                                                                                                  File size:74'288 bytes
                                                                                                                                                                                                                                                                  MD5 hash:749C51599FBF82422791E0DF1C1E841C
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2850032441.00000278C4821000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2935696263.00000278DD7D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2850032441.00000278C482D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2855258449.00000278C5083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2935696263.00000278DD80D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2850032441.00000278C4805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2855258449.00000278C510C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000000.2105794495.00000278C4622000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2850032441.00000278C48C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2935696263.00000278DD7A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2855258449.00000278C4F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2852316069.00000278C4A30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2850032441.00000278C486D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2850032441.00000278C47E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2855258449.00000278C4F78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                                                                                                  Start time:07:55:03
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                                                                                                  Start time:07:55:03
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" fbcf2d79-fde9-446f-9db8-b915db64fdfb "e32a6a23-e8d4-4e32-b68d-b03fd8f497a4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 0013z00002eDbtlAAC
                                                                                                                                                                                                                                                                  Imagebase:0x19511080000
                                                                                                                                                                                                                                                                  File size:398'384 bytes
                                                                                                                                                                                                                                                                  MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2190585524.000001952AF77000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2172224977.0000019511170000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2173998714.0000019511512000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2172506342.0000019511251000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2172506342.00000195112FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2190647233.000001952B175000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2223066667.00007FFDF1699000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2191541804.000001952B2FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2172506342.000001951121C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2172506342.000001951125C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2172506342.000001951129A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2174197330.0000019511530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2191385824.000001952B186000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2172506342.0000019511210000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000000.2107240038.0000019511082000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2185856294.000001952A2D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2176320463.0000019511C11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2176320463.00000195121BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2176320463.0000019511CFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                                                                                                  Start time:07:55:03
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:37
                                                                                                                                                                                                                                                                  Start time:07:55:14
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                                                                                                  Start time:07:55:14
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                                  File size:56'904'336 bytes
                                                                                                                                                                                                                                                                  MD5 hash:6AAE99153C786353C750BF8F5C9779B1
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2834835376.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000026.00000002.2833474219.00000000004C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                                                                                                  Start time:07:55:19
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\unpack\PreVerCheck.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                                                                                                                                                                                                                                                  Imagebase:0x600000
                                                                                                                                                                                                                                                                  File size:3'383'808 bytes
                                                                                                                                                                                                                                                                  MD5 hash:A7CE785B6CD1C9657040CA9B6CBEED10
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:40
                                                                                                                                                                                                                                                                  Start time:07:55:19
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                                                                                                                                                                                                                                                                  Imagebase:0x7b0000
                                                                                                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:41
                                                                                                                                                                                                                                                                  Start time:07:55:22
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 4351DC68752ACF7C899C2675605CABA5 E Global\MSI0000
                                                                                                                                                                                                                                                                  Imagebase:0x7b0000
                                                                                                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:42
                                                                                                                                                                                                                                                                  Start time:07:55:25
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B352F26-5120-4117-A109-DE650674E7DA}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:43
                                                                                                                                                                                                                                                                  Start time:07:55:25
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA7BA938-024B-4129-BDD0-6B3FE9E5FB66}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:44
                                                                                                                                                                                                                                                                  Start time:07:55:25
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0FCA55A-7CF7-49BE-8B56-A74C1EB44F5E}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:45
                                                                                                                                                                                                                                                                  Start time:07:55:25
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0ADF7E2D-4BB9-42AA-A569-94D9707C001C}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:46
                                                                                                                                                                                                                                                                  Start time:07:55:25
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{860F9839-DA15-4056-88A7-841AD3A27997}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:47
                                                                                                                                                                                                                                                                  Start time:07:55:25
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F3231D3-6D37-465A-BC13-63CD6FF9624B}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:48
                                                                                                                                                                                                                                                                  Start time:07:55:26
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03A40452-2F14-4152-BA66-B5287BBD5C9B}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:49
                                                                                                                                                                                                                                                                  Start time:07:55:26
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C5ECAA2-1855-4FDF-894D-C85ACC1D9D7D}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:50
                                                                                                                                                                                                                                                                  Start time:07:55:26
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{05F4BBFC-F955-4195-A522-A30DD645E32B}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:51
                                                                                                                                                                                                                                                                  Start time:07:55:26
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Temp\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\TEMP\{111B374A-FF4E-4B16-87C0-18762C80C5C7}\_isA4D9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B23DA011-82C1-4020-8602-12398184AECF}
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b0a60000
                                                                                                                                                                                                                                                                  File size:183'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7A1C100DF8065815DC34C05ABC0C13DE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:52
                                                                                                                                                                                                                                                                  Start time:07:55:26
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
                                                                                                                                                                                                                                                                  Imagebase:0x240000
                                                                                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:53
                                                                                                                                                                                                                                                                  Start time:07:55:26
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:144
                                                                                                                                                                                                                                                                  Start time:07:55:31
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                                    Function 04BA1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: $^q$$^q
                                                                                                                                                                                                                                                                    • API String ID: 0-355816377
                                                                                                                                                                                                                                                                    • Opcode ID: b831799c14197b47272327639369c34f87fa6184b45f3420000bbad59667183a
                                                                                                                                                                                                                                                                    • Instruction ID: b509662dd7d7d1b1f896f12c884f328a9ba830301ace18df69a614c0803f4db3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b831799c14197b47272327639369c34f87fa6184b45f3420000bbad59667183a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB51B035B042099FC755DF7CD850AAEBBB6EBC5350F14816AE814DB364DA309C52CB91
                                                                                                                                                                                                                                                                    Function 04BA0C1C Relevance: 2.7, Strings: 2, Instructions: 151COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$uctorAsync
                                                                                                                                                                                                                                                                    • API String ID: 0-1250179903
                                                                                                                                                                                                                                                                    • Opcode ID: 37ca7d9f1792c2e96fe0024751e759f4b75d9669c71a7356e8ccd27c29d4f0f1
                                                                                                                                                                                                                                                                    • Instruction ID: ab3af7a120508f328dfb6c842fe58a6ccb1a797ae311d0113368ad08d492640c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 37ca7d9f1792c2e96fe0024751e759f4b75d9669c71a7356e8ccd27c29d4f0f1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0511730B08214AFE744AF68D8647AE7BB7EFC9314F1484A9E506E7385CE356C06CB91
                                                                                                                                                                                                                                                                    Function 04BA1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: b0799f15e0e9e4477862337d8d2568282ed48a5aa596403526c55504e039498f
                                                                                                                                                                                                                                                                    • Instruction ID: 7fe442e3258315fd54e880431525c37ade24232c32a01ec32768fcab8312ad5b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0799f15e0e9e4477862337d8d2568282ed48a5aa596403526c55504e039498f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC71A635F002149FDB44AFB9C854A6EB7E7EFC8300F148469E506AB3A4DE75EC528B41
                                                                                                                                                                                                                                                                    Function 04BA2644 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: ceed84329f16e1072cee5c64a5b9c735626345530022a6e4d17b29059972aac7
                                                                                                                                                                                                                                                                    • Instruction ID: d843638ef51c83d6de08c80e943a40c6c1c6b8abd1856dfb99911ffe5eee56cf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ceed84329f16e1072cee5c64a5b9c735626345530022a6e4d17b29059972aac7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF312421B0D3641BE72C6A79946437E6BDBCFD6254F0484FAE906C7382ED68EC0643A1
                                                                                                                                                                                                                                                                    Function 04BA182A Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: uctorAsync
                                                                                                                                                                                                                                                                    • API String ID: 0-3992375288
                                                                                                                                                                                                                                                                    • Opcode ID: fa6108bcf9c413896d57aed5ebc97a85c8a49f175f872c816141f01d55ddde6a
                                                                                                                                                                                                                                                                    • Instruction ID: cbb51e87aff22a7fdcd836ec134da13586ec7a671defc6a266784447600cc1be
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa6108bcf9c413896d57aed5ebc97a85c8a49f175f872c816141f01d55ddde6a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3501D131F0810597EB18BA6C85647AF7AF6DBC8708F1144ADD102B7390CE716C059BD2
                                                                                                                                                                                                                                                                    Function 04BA2764 Relevance: .4, Instructions: 393COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 92a3ec197cce44347b8c78d121d92b6ea12099a1d96c153b2d59f88c6486f7cd
                                                                                                                                                                                                                                                                    • Instruction ID: 85fcf2c1b10b096acfca52964c044d72c7475c7fdcbf41989b579a83e599c215
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92a3ec197cce44347b8c78d121d92b6ea12099a1d96c153b2d59f88c6486f7cd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EE092B1D092049FC748DF6C90421A97FF1AB58200F1041EED40ED7341FA328903CB91
                                                                                                                                                                                                                                                                    Function 04BA23B8 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9e66051e81433d03c6ea868c131cd1a32b6a49a3d79d1a864b4a87ca81483d10
                                                                                                                                                                                                                                                                    • Instruction ID: 9bbc01c065428926bd4daf9b84a1385609d3a2b50dd116ad3656d8f81b0f12ce
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9e66051e81433d03c6ea868c131cd1a32b6a49a3d79d1a864b4a87ca81483d10
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F6510431B052159FD718CB68D894A6ABBF5FF84304F1581E9E618CB362EB31EC52CB81
                                                                                                                                                                                                                                                                    Function 04BA2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b7e6b256f03d624258bdaeecea4cdc86956969110fb56fed1531a49f831d48c6
                                                                                                                                                                                                                                                                    • Instruction ID: c9917e237ec2b42b9b0f5add2fd380c1b6fd6a676674fba90c0afa8ea5831706
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b7e6b256f03d624258bdaeecea4cdc86956969110fb56fed1531a49f831d48c6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB41FD39B101149FCB54DF69D88099DBBF6FF89714B1481AAE905EB360DB31EC52CB90
                                                                                                                                                                                                                                                                    Function 04BA1050 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: fa4687204ab3144c7b82869586e4b8fd8e935f3436e7242528c3f1118795be16
                                                                                                                                                                                                                                                                    • Instruction ID: be7d06f39bcbccd2aacdab38ff648056cca9f7375f27ba84faaa82dfa1dd03b0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa4687204ab3144c7b82869586e4b8fd8e935f3436e7242528c3f1118795be16
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02214832F042649BDB509F7C89646EE7BAADF84204F0440AAD902DB341EA34ED178391
                                                                                                                                                                                                                                                                    Function 04BA2664 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7b6b7ca844d84fb05cb771296b082cf96788bf5f57d89384f9a80537919b0f46
                                                                                                                                                                                                                                                                    • Instruction ID: 6e25682ba64623361a2d4c1d98dbc78ca3188d2ac2d71f7b89dd681c1047b231
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b6b7ca844d84fb05cb771296b082cf96788bf5f57d89384f9a80537919b0f46
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B5115C72B492286BE7082B6864243FE7F85CB91221F1084F6FF1D96350ED2498A683D1
                                                                                                                                                                                                                                                                    Function 04BA2258 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1a5071552652e717f3899a337a0d02768c0697f5c77646d598af463992f734f5
                                                                                                                                                                                                                                                                    • Instruction ID: 7793c54428b3b32aa4ec596af833554ca026328d722ec6eaa06c2a45c77173ad
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a5071552652e717f3899a337a0d02768c0697f5c77646d598af463992f734f5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D211775E102189FCB54DF69D88499EBBF2EF8C714F10816AE905AB320EB319842CF90
                                                                                                                                                                                                                                                                    Function 04BA1958 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6e88ef09f9532d9fdedf209d8e55840c756419005e0ec526f306ab738a1e3a44
                                                                                                                                                                                                                                                                    • Instruction ID: b146810cf26de1696d3fc273c4f88c5d2e262baa89ad92eae2ff57f7a60eb5bd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e88ef09f9532d9fdedf209d8e55840c756419005e0ec526f306ab738a1e3a44
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE117F35A00125AFD744DFA4D558AA9BBB2FF8C314F144019E409E7354CB39AC87CF90
                                                                                                                                                                                                                                                                    Function 04BA1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e2d87597915c3b38dbe95e7e25931e60e990c1307bc96085e242b0412b88393b
                                                                                                                                                                                                                                                                    • Instruction ID: 08b0cf15d6ca9058cfc81a3038c36f0c9934f01fda65166115d043838e89eee0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2d87597915c3b38dbe95e7e25931e60e990c1307bc96085e242b0412b88393b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF2124B1D042498FDB10DFAAC484ADEFBF4FF88324F10802AD459A7240CB75A945CFA6
                                                                                                                                                                                                                                                                    Function 04BA1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e847f652f4c0df527db11b95631a88324cc94aaa3cb6852b806d07270a37ca90
                                                                                                                                                                                                                                                                    • Instruction ID: c2c755ab42846ef480071ddd4aba4cc864dd5e2f44214e16012ee0c5ded6295e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e847f652f4c0df527db11b95631a88324cc94aaa3cb6852b806d07270a37ca90
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F1124B1D042498FDB10DFAAC480ADEFBF4FF88324F10802AD45967240CB74A945CFA5
                                                                                                                                                                                                                                                                    Function 04BA1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 18929802f41f261c25a090c95a57d2d128078d7b07b5a8b86f948b77ed871db6
                                                                                                                                                                                                                                                                    • Instruction ID: febec02d1305dc8680dfdc2c403f38170c5952162020b7ddbbee2c880e114cda
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18929802f41f261c25a090c95a57d2d128078d7b07b5a8b86f948b77ed871db6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA11FB35A00125AFDB44DFA8D558AA97BB6FF9C311F144029F40AE7394CB79AC86CB90
                                                                                                                                                                                                                                                                    Function 04BA1440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 82d061a4a3969832c5123e6f222d110825c47b7fb95b9a306805439d174291a7
                                                                                                                                                                                                                                                                    • Instruction ID: 40f639e2441ff7fd632f988e457c5da9765cb62e10e364aae7c1b3d454efffcf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82d061a4a3969832c5123e6f222d110825c47b7fb95b9a306805439d174291a7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F901D430A0A2495FDB899F7DA4352263F99EFC1604B0508EAD549CF151ED25E80787D2
                                                                                                                                                                                                                                                                    Function 02F7D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1811888130.0000000002F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F7D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_2f7d000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bdeac2d4f79ddd6e072f67e3cd0339a8e016f7fbd9f9c3f0c8d5f5f32ba94a50
                                                                                                                                                                                                                                                                    • Instruction ID: 03b9a4906923b90d43de1da8e6c60d4a0d50f719b3510ebc91301d69c4235e13
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bdeac2d4f79ddd6e072f67e3cd0339a8e016f7fbd9f9c3f0c8d5f5f32ba94a50
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED014C6140E3C09ED7128B358894B52BFB4EF53668F1DC1DBD9888F2A7C3699849C772
                                                                                                                                                                                                                                                                    Function 02F7D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000002.1811888130.0000000002F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F7D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_2_2f7d000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b1179bcc156e24d522bac8d53e36e945aab3dad239035b174d1940144660d7af
                                                                                                                                                                                                                                                                    • Instruction ID: c5ec8ac2dfad30d2e1b95c8b85a311a0b966fc4d06d618f67e489d267db1f13d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b1179bcc156e24d522bac8d53e36e945aab3dad239035b174d1940144660d7af
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A501DB715083409AE7104A25CDC4767BF98DF41BA4F58C52BEE494B28AC779D845C6B1
                                                                                                                                                                                                                                                                    Function 04BA2A98 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bc2a8ba50eba54b98a57c8c7b693bb84a02bd8169475e604a869bdda8b8b4b51
                                                                                                                                                                                                                                                                    • Instruction ID: 515dd0bb3ecf0e87a71bc03c787d6c3c7b052ec10ecd9804a8d3c738d6b1a875
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bc2a8ba50eba54b98a57c8c7b693bb84a02bd8169475e604a869bdda8b8b4b51
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50F02E7670D21017D73C5E16E4D077E6B9BDFD4755F0880E9FA0987391DE24AC1792A0
                                                                                                                                                                                                                                                                    Function 04BA25D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2021e12f892e29439afb8d0aacf4e2b9b7870a3a95cbf22ef3d1961a0d4584fb
                                                                                                                                                                                                                                                                    • Instruction ID: ebafaebcc5de31549a710e1ad67e0dad008aa68467b922a52dc491837158e8fd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2021e12f892e29439afb8d0aacf4e2b9b7870a3a95cbf22ef3d1961a0d4584fb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48F0E232F1401457CB0C96ACE0552FD77B6DBCC211F11802AE51BA7380EE204D0BCB91
                                                                                                                                                                                                                                                                    Function 04BA1431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bdb369da95c0a831c8d694152ea4dd5871b1a4bbf5f9df6e68b52db3d4f7e8e9
                                                                                                                                                                                                                                                                    • Instruction ID: fd2827f32913066a5e2de3b3f069ad3b24a08cb4fc81303b3bff7ee7bef1b04e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bdb369da95c0a831c8d694152ea4dd5871b1a4bbf5f9df6e68b52db3d4f7e8e9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AF09030E452055EEB8C9F7DA1292167F9AEFD1604B0408BD9149CF160ED25E8478BC2
                                                                                                                                                                                                                                                                    Function 04BA25E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c53d8020b5ff01e1f4017c8a789b81423bca5435e33a18bd19af1b14c92eea75
                                                                                                                                                                                                                                                                    • Instruction ID: 9d9570269fc647cbd685498bca5d79b845f2356fbbc45b9c173b34fabde21fa8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c53d8020b5ff01e1f4017c8a789b81423bca5435e33a18bd19af1b14c92eea75
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4E0E536B1415847CB0C9668E4555FEB7BADBC8210F11803AD816A3340EF305D0ACB91
                                                                                                                                                                                                                                                                    Function 04BA2654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 61b2ce73cc626d5bfcbedf22c1b4535883691c6d32e362b553ee3c6acc844a68
                                                                                                                                                                                                                                                                    • Instruction ID: 20ce9c18a9760671b64bd3aaaab126c0d28c55251e84d2f1bd255c421105ac57
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61b2ce73cc626d5bfcbedf22c1b4535883691c6d32e362b553ee3c6acc844a68
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 99E0922071D31803FB3C2969561076A66CE8B42608F4408F9D901C7781EAD0F86803E1
                                                                                                                                                                                                                                                                    Function 04BA17F0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a225d9352ff7023151cd997148bb8529a6548890796198b4528742b2a857367c
                                                                                                                                                                                                                                                                    • Instruction ID: 19d5e83638de37a36803ad975e321bac122da76b4856ecf451950b41eab6e094
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a225d9352ff7023151cd997148bb8529a6548890796198b4528742b2a857367c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1D05E762191146FC308EB90F4566B9BFAAA759121B04407BEA064B3A5DD611DA287C4
                                                                                                                                                                                                                                                                    Function 04BA0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d6f283cc1acdd876cc8bebf41f29ca23b9b193bca51e47deac2125a598963d19
                                                                                                                                                                                                                                                                    • Instruction ID: ca2007cc206ba7245f920f03bdd6ec9069fa0075c181480f322cd12411f9b236
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d6f283cc1acdd876cc8bebf41f29ca23b9b193bca51e47deac2125a598963d19
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C7D0A7363140187B56047658D88597ABB99E7852607104477F90293324DD60BC5187D5
                                                                                                                                                                                                                                                                    Function 04BA2590 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9d8ca3a1cd6a640a7bd270249c4a6b4c481ca70831305e71431c7042ade3a9a3
                                                                                                                                                                                                                                                                    • Instruction ID: 30bb920236f6f8c5cbfe4843705eb9140c96388aa8189f31b881bf51aeeade63
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d8ca3a1cd6a640a7bd270249c4a6b4c481ca70831305e71431c7042ade3a9a3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DD05BF19451005BD30957B4F9597EC3B42CF94200F42446A93664F776EE609C8B47C5
                                                                                                                                                                                                                                                                    Function 04BA2A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c00ce4580879d05c66f2ab7bd7b83d7f7ca3de48aedcb9a86dbd52dd2110344b
                                                                                                                                                                                                                                                                    • Instruction ID: 7d9cce35ebfcab790d79bc6f56dcfd20835dae2a1de4b3797458df78b1974184
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c00ce4580879d05c66f2ab7bd7b83d7f7ca3de48aedcb9a86dbd52dd2110344b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FBE0EC74D052099F8744EFB9850255ABBF4AB48204B1085E99409D7300F63295128B91
                                                                                                                                                                                                                                                                    Function 04BA0440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000003.00000003.1811343515.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_3_3_4ba0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 972c7440fe985a56b3061d3730352a75727213fca00706865a6e963f7f386ae2
                                                                                                                                                                                                                                                                    • Instruction ID: fd0185e65311977894242bde59adbdac344d21217394b58870a022e056848cd0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 972c7440fe985a56b3061d3730352a75727213fca00706865a6e963f7f386ae2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CFC04CB2F546609BD1045A4C45586E9A3A0FFB121EF9581AAC1444D405963350679A14

                                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                                    Function 048A7678 Relevance: 9.5, Strings: 7, Instructions: 716COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860521694.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_48a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: Pl^q$Pl^q$Pl^q$Pl^q$Pl^q$x cq$|k7p
                                                                                                                                                                                                                                                                    • API String ID: 0-665691763
                                                                                                                                                                                                                                                                    • Opcode ID: aa64770d937d78388222988fe52da0724b2119e5c65a59ffc76473213d87c25a
                                                                                                                                                                                                                                                                    • Instruction ID: 397a057ad220a08514dbb8c6642ca8150c2be16c37a67faacafff564fe5a4fc8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa64770d937d78388222988fe52da0724b2119e5c65a59ffc76473213d87c25a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A5268347006048FD714EF79C598A6ABBE2BFC8704B148869D586CB3B5EE75EC42CB90
                                                                                                                                                                                                                                                                    Function 048A0040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860521694.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_48a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: \;^q
                                                                                                                                                                                                                                                                    • API String ID: 0-2342212615
                                                                                                                                                                                                                                                                    • Opcode ID: e54b1fbf8e1d3792cc33fcb36f562c4154d0a272e0a6eb875e0ea0fe52275224
                                                                                                                                                                                                                                                                    • Instruction ID: fc616e6a8fed05298409e5e27dca98b980f878eacbee16908b0034f15924fa58
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e54b1fbf8e1d3792cc33fcb36f562c4154d0a272e0a6eb875e0ea0fe52275224
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98226E30A1061ACFDB14EF78C84469DB7B2FF89304F118AA9D845BB351EB74E995CB90
                                                                                                                                                                                                                                                                    Function 047B7448 Relevance: 20.9, Strings: 16, Instructions: 912COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: `q$$&_q$(_^q$4'^q$4'^q$4'^q$4'^q$4c^q$4c^q$@b^q$|-_q$$^q$$^q$c^q$c^q$`q
                                                                                                                                                                                                                                                                    • API String ID: 0-3238858861
                                                                                                                                                                                                                                                                    • Opcode ID: 11f6ab4a14c8d53138be8227aa1a0b719b7282d5a163eb6f40de1b30376b2c06
                                                                                                                                                                                                                                                                    • Instruction ID: ca20d4f0abaec2530f90b327cba3b6c61e962c07611dd98b07e7749d555da635
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 11f6ab4a14c8d53138be8227aa1a0b719b7282d5a163eb6f40de1b30376b2c06
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3A23B34A4021CDFDB259F64C944AEEBBB2FF89300F1049E9D5096B2A4DB359E85DF81
                                                                                                                                                                                                                                                                    Function 047B74C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: `q$$&_q$(_^q$4'^q$4'^q$4'^q$4'^q$4c^q$4c^q$@b^q$|-_q$$^q$$^q$c^q$c^q$`q
                                                                                                                                                                                                                                                                    • API String ID: 0-3238858861
                                                                                                                                                                                                                                                                    • Opcode ID: 69a3c69b63efc39fd133ad9672fc9045c3d05b86e55f2dd207711b8a4f11a158
                                                                                                                                                                                                                                                                    • Instruction ID: 4c9abf10e31e31e611c8012c1931afaf2b0b2711011cb7b25868e6223464f23a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69a3c69b63efc39fd133ad9672fc9045c3d05b86e55f2dd207711b8a4f11a158
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 30920B34A4021CDFDB259F64C944AEEBBB2FF89300F1049E9D5096B264DB369E85DF81
                                                                                                                                                                                                                                                                    Function 047BB688 Relevance: 6.5, Strings: 5, Instructions: 214COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$\;^q$l;>p$?>p$|]q
                                                                                                                                                                                                                                                                    • API String ID: 0-2096663882
                                                                                                                                                                                                                                                                    • Opcode ID: 63509e2b3426d0ef41e4a0fb15249837e8f72770ca26d045c4ce39e19f15173c
                                                                                                                                                                                                                                                                    • Instruction ID: 79a60f4acda82c54aea86f5984ec0dd1ce6c63d78d948428be39de06663b98d6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63509e2b3426d0ef41e4a0fb15249837e8f72770ca26d045c4ce39e19f15173c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF61D479B441164BD7049A7A89507BEA7EBBFC4744B20802ADC86D77A8EE34FC0297D1
                                                                                                                                                                                                                                                                    Function 047BB9F8 Relevance: 5.3, Strings: 4, Instructions: 264COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$(bq$(bq$(bq
                                                                                                                                                                                                                                                                    • API String ID: 0-2632976689
                                                                                                                                                                                                                                                                    • Opcode ID: 3d5a1111484b6d13c6cb39eadc97e4fe8afec0e91f886bf26d3cea2f78f95966
                                                                                                                                                                                                                                                                    • Instruction ID: 6b8fa89a476673c84354598d04746bc829aa5efc283d384a16db814bbcdcd0b7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d5a1111484b6d13c6cb39eadc97e4fe8afec0e91f886bf26d3cea2f78f95966
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD81BF31B001148FDB14EF79D4546AE7BE6EF89310B1480BAE90ADB7A1EE34ED05C795
                                                                                                                                                                                                                                                                    Function 047B85C0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$d
                                                                                                                                                                                                                                                                    • API String ID: 0-3334038649
                                                                                                                                                                                                                                                                    • Opcode ID: cb51206fc02cac2b268ab81d709e12c731cbdc096cc55285d9b1006628f44032
                                                                                                                                                                                                                                                                    • Instruction ID: d3042cfa33b9bc6a5de29c7265e5c3c2c14e4c33e88a8945b2aa58b3076232ef
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cb51206fc02cac2b268ab81d709e12c731cbdc096cc55285d9b1006628f44032
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDF1AF346006058FD714DF19C480AAABBF6FF89314B16CA69D4AADB366DB30FC45CB91
                                                                                                                                                                                                                                                                    Function 047B99B8 Relevance: 2.9, Strings: 2, Instructions: 368COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$(bq
                                                                                                                                                                                                                                                                    • API String ID: 0-4224401849
                                                                                                                                                                                                                                                                    • Opcode ID: 0f1ff26c8bec7941dda76a7ea82d123aaf11f1f3d669cd6e8e3b66d10ff451b9
                                                                                                                                                                                                                                                                    • Instruction ID: 58e8785ff190856bf5014d6cf94437673e9184bc19c0b56721be7c7791626b41
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f1ff26c8bec7941dda76a7ea82d123aaf11f1f3d669cd6e8e3b66d10ff451b9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DBF17BB4A003598FCB05DFA8C884A9DBBF2FF89300F158195D959AB3A5DB34ED45CB90
                                                                                                                                                                                                                                                                    Function 047B6C20 Relevance: 2.8, Strings: 2, Instructions: 334COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$|7>p
                                                                                                                                                                                                                                                                    • API String ID: 0-2986658212
                                                                                                                                                                                                                                                                    • Opcode ID: 78365399d8a79f6ca6699cd658988166d9dc7aa4ca9773b7851db023c157bc10
                                                                                                                                                                                                                                                                    • Instruction ID: 18610ab4b0001b14a985568bd9701b5968eb79a9ab479ded27dfe651eee1ab3b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 78365399d8a79f6ca6699cd658988166d9dc7aa4ca9773b7851db023c157bc10
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DC19F30B005158FC7189F79C5946AEBBE2BFC9714B24896AE586DB3A4DF30EC45CB81
                                                                                                                                                                                                                                                                    Function 047B1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: $^q$$^q
                                                                                                                                                                                                                                                                    • API String ID: 0-355816377
                                                                                                                                                                                                                                                                    • Opcode ID: c6b216113966b5259cf41920ec080fb71a88e4877861241f79950d9f8417a096
                                                                                                                                                                                                                                                                    • Instruction ID: 8fed4523dbd180ff8975949d129e7fe31d309f79304dbf6ceba05ffd71c2f246
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c6b216113966b5259cf41920ec080fb71a88e4877861241f79950d9f8417a096
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B251C131B002099FCB15DF79D8546EE7BEAEBC5390B54812AE854DB365DE30AC02C7D1
                                                                                                                                                                                                                                                                    Function 047BA228 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$(bq
                                                                                                                                                                                                                                                                    • API String ID: 0-4224401849
                                                                                                                                                                                                                                                                    • Opcode ID: f68d46a6047bd6e8143561a3f142edd8beecacb87927380d34f4cad68f7ede70
                                                                                                                                                                                                                                                                    • Instruction ID: 9ea66aaedfa0b30a017b176ac691558c92df24c3eca1ff823f5458a9e529f46e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f68d46a6047bd6e8143561a3f142edd8beecacb87927380d34f4cad68f7ede70
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3941E330B042549FD715DB69C854BAEBBF2EF89310F1480A9D845AB391DE35AD02CB90
                                                                                                                                                                                                                                                                    Function 047B3747 Relevance: 2.6, Strings: 2, Instructions: 128COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$LR^q
                                                                                                                                                                                                                                                                    • API String ID: 0-516514815
                                                                                                                                                                                                                                                                    • Opcode ID: de8e9b470d62044d8682231b2e77cbbb34868dc01aea1d4517703442a2e73cdb
                                                                                                                                                                                                                                                                    • Instruction ID: 523e48b8c8465ca473f43cd7d0d29a750072c6609acfa94666b15d3b32780d90
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: de8e9b470d62044d8682231b2e77cbbb34868dc01aea1d4517703442a2e73cdb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D411971B043944FEB099F3898657BE3BA7EFC2604F14446EE882DB395EE34AC458791
                                                                                                                                                                                                                                                                    Function 047BEA88 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$T;>p
                                                                                                                                                                                                                                                                    • API String ID: 0-3734550289
                                                                                                                                                                                                                                                                    • Opcode ID: 5536558ec1740d7d7a0046f56a75208ff6d071f1b88a232c6098ee5b13567203
                                                                                                                                                                                                                                                                    • Instruction ID: 3eba66579f3a9cf5a18688901bfe16ad44ebd6fb6c0509d38f1255ea0d077361
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5536558ec1740d7d7a0046f56a75208ff6d071f1b88a232c6098ee5b13567203
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F31DD317002158FDB089B7ED454AAFBBE6FFC82547144979E946CB3A0DE34EC018B95
                                                                                                                                                                                                                                                                    Function 047BE1F0 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (Acq
                                                                                                                                                                                                                                                                    • API String ID: 0-1548273396
                                                                                                                                                                                                                                                                    • Opcode ID: cf5465941e19119b23810305d5ff89c601d1221ecf52d0d934913aabd0964a8d
                                                                                                                                                                                                                                                                    • Instruction ID: 38c4b54032091abf25eb8efc067c60347e10a289fd88d729316906d598213216
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cf5465941e19119b23810305d5ff89c601d1221ecf52d0d934913aabd0964a8d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3BC16E70B102159FDB15DFA9C5946EDBBB2AF84304F144429D846EB394DF74AC06CB91
                                                                                                                                                                                                                                                                    Function 048A9FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 048A9FF8
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860521694.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_48a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 6842923-0
                                                                                                                                                                                                                                                                    • Opcode ID: 59d901683ffbedb42ce0a84577424ac2f06627d32763de5ffb36f84fa485a4bb
                                                                                                                                                                                                                                                                    • Instruction ID: 5b9270420dd219dd5f300e2b050eec7bbec2a248a36db2971339b9c41dcdff02
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 59d901683ffbedb42ce0a84577424ac2f06627d32763de5ffb36f84fa485a4bb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FE115C36A01204DFFB18EE78D4443ECB7A1EB88328F148A25D515E7690EB77B959CB50
                                                                                                                                                                                                                                                                    Function 048A9FD0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 048A9FF8
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860521694.00000000048A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_48a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 6842923-0
                                                                                                                                                                                                                                                                    • Opcode ID: b638fb73768d96f4c4219579130e980f0a413d1837e3f00d04dd689b4498563b
                                                                                                                                                                                                                                                                    • Instruction ID: 0a3ad8f630a0517a412748dfbd651e116a0504e4d35a96fae55660879aeaa617
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b638fb73768d96f4c4219579130e980f0a413d1837e3f00d04dd689b4498563b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1113636A01705CFFB19EA74C5843ECB7A1EB88328F108A14C805E3180EB76A95ACB12
                                                                                                                                                                                                                                                                    Function 047BBE40 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: Q0n^
                                                                                                                                                                                                                                                                    • API String ID: 0-689569478
                                                                                                                                                                                                                                                                    • Opcode ID: dedcf4f5a304b35622eaa2e0f6fde81ebcf813814222a36c0e8f39c467ee3e3b
                                                                                                                                                                                                                                                                    • Instruction ID: 84b14624d89b18b6e9968db0749c0ccce553050f0791c116c655c2488ac33dcc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dedcf4f5a304b35622eaa2e0f6fde81ebcf813814222a36c0e8f39c467ee3e3b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9BB17C74B006058FDB15DF38D584AAEBBF2FF88204B048A69D946DB365DB34EC46CB91
                                                                                                                                                                                                                                                                    Function 047B1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: c23a21c4710e1349db16431c17e29ff521bc3e6616eadbab62ffbb1397a9803d
                                                                                                                                                                                                                                                                    • Instruction ID: 51bc26722e68cdd793c15d3b8f764c99f596374087ec995f8042703f3d71b246
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c23a21c4710e1349db16431c17e29ff521bc3e6616eadbab62ffbb1397a9803d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D719231B002189FDB049BB5C9647AE77A7EFC8240F148429E946EB3A4DE35EC429B91
                                                                                                                                                                                                                                                                    Function 047B57B8 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: 58a0b531750f5a8c034e40a1bf1492b4a16ebd028efc9892ba4f42effa840475
                                                                                                                                                                                                                                                                    • Instruction ID: e69700d57c52bc5fcf41f8aa8737659447e3ff395994ba877666177c4adc5ec6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 58a0b531750f5a8c034e40a1bf1492b4a16ebd028efc9892ba4f42effa840475
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D51D0A150E7C58FC706CB7899902547FF5EF83214B0E44EBC984CF2A7DB28988AC755
                                                                                                                                                                                                                                                                    Function 047BBE33 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: Q0n^
                                                                                                                                                                                                                                                                    • API String ID: 0-689569478
                                                                                                                                                                                                                                                                    • Opcode ID: 244bc6c284f553ef93a2ec835b6d0f1a57d5169daa01dc4f043230853cc77ab1
                                                                                                                                                                                                                                                                    • Instruction ID: 026ffac57782b4abcb29c1a6559351fb2ef41fffe1aa60b69821f6555d2dbfb4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 244bc6c284f553ef93a2ec835b6d0f1a57d5169daa01dc4f043230853cc77ab1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A9719B74B006018FDB05DF38D5946AEFBF2FF89204B048A69D9469B365DB34EC46CB91
                                                                                                                                                                                                                                                                    Function 047B6048 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: a672e356b7540ca1ac7a3d2b42d778e7729826e1977a16f1b2f861b89ea09d7b
                                                                                                                                                                                                                                                                    • Instruction ID: b15beaee2134a2ec40d8714dc0847e457314c52e0d812512260401cf39089468
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a672e356b7540ca1ac7a3d2b42d778e7729826e1977a16f1b2f861b89ea09d7b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B717374A002189FEB05EBE4C8606DEBFB2FF89304F104929C516B73A0DE35AD49EB51
                                                                                                                                                                                                                                                                    Function 047B68E0 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: 5a7ba6841d7a9f8da260a7141ec101bde8d052a4d1fb4ee39b7de8e9a6d61cb4
                                                                                                                                                                                                                                                                    • Instruction ID: 3f8aabb09789d709a3ace9d4ecd333fcf59dda51566b1c9f2a61447b63a3dcaf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a7ba6841d7a9f8da260a7141ec101bde8d052a4d1fb4ee39b7de8e9a6d61cb4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2161617AB002059FCB11CF68D88099ABBF6FF8D310B1584A9EA59DB361D731ED15CB90
                                                                                                                                                                                                                                                                    Function 047BE7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: L<>p
                                                                                                                                                                                                                                                                    • API String ID: 0-3426176556
                                                                                                                                                                                                                                                                    • Opcode ID: 0da2d0605bb511c2c206179f3b02f4e693f15574954e381d8a4721492c0c47f4
                                                                                                                                                                                                                                                                    • Instruction ID: 263b3af2b01f9a4f2b37736822a00b0d408fdc21e6e6ad527e34b711d93696bc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0da2d0605bb511c2c206179f3b02f4e693f15574954e381d8a4721492c0c47f4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D613D317002059FDB54EF79D5986EEBBF6BF88604B248429D446EB390DF74AC05CB91
                                                                                                                                                                                                                                                                    Function 047B6BF1 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: |7>p
                                                                                                                                                                                                                                                                    • API String ID: 0-810113388
                                                                                                                                                                                                                                                                    • Opcode ID: a7dcaeb74b6d229e3052b667d56a379efb36daf4d78fd181961609c0093be8b3
                                                                                                                                                                                                                                                                    • Instruction ID: dfb4a73f74a02f4b54309d5d1404f97b099b7ca76a86df70d845d07d464c9f03
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7dcaeb74b6d229e3052b667d56a379efb36daf4d78fd181961609c0093be8b3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F951AE30B002058FCB05DF78C994AAEBBF2BF85210B1585A9E945DB3A6DB30ED05CB91
                                                                                                                                                                                                                                                                    Function 047B0E8C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: aa523f1e0fb6d1689d99337700f5d7610d62b3c41edd194247953325ff364a04
                                                                                                                                                                                                                                                                    • Instruction ID: d14e3de93647131cf48cbe0f65573c2bf27356d271deba1f9922221a0434e1ea
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa523f1e0fb6d1689d99337700f5d7610d62b3c41edd194247953325ff364a04
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58412831B001155BEB18AA79986CBEE779BDFC4350F548829E946EB381CE35BC0683E1
                                                                                                                                                                                                                                                                    Function 047BC4D8 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: 66781b15c6427da4c03a5a04ce53f7f011d0d54bf7a9aeadefebce765f446b9a
                                                                                                                                                                                                                                                                    • Instruction ID: 4c3d44b1b4a7dc22fb53f18844da9a61929671957e005a53531f72475083eae3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 66781b15c6427da4c03a5a04ce53f7f011d0d54bf7a9aeadefebce765f446b9a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C51C2353047418FD316DB34D554A6ABBE2EFC5300B18CA6DD48A8B7A5DA34FC46C791
                                                                                                                                                                                                                                                                    Function 047BE428 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (Acq
                                                                                                                                                                                                                                                                    • API String ID: 0-1548273396
                                                                                                                                                                                                                                                                    • Opcode ID: 0b10214899323b6f711b79ece80b9f871cef58f67c27fdbc21331c01652d817e
                                                                                                                                                                                                                                                                    • Instruction ID: a286a36fd62bf7f350a6e9db0d329513cb70982b4ca70c8cd6d28beebe3d95de
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b10214899323b6f711b79ece80b9f871cef58f67c27fdbc21331c01652d817e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D416F70B102159FDB19DF69D994BEEBBB2BF88204B104429D841AB390EF74AC05CB91
                                                                                                                                                                                                                                                                    Function 047BE438 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (Acq
                                                                                                                                                                                                                                                                    • API String ID: 0-1548273396
                                                                                                                                                                                                                                                                    • Opcode ID: 062b438040828180b9a2cd3bb28f7c6605740efa89be2a69993048eede017d59
                                                                                                                                                                                                                                                                    • Instruction ID: 84aad59594b4e4a58a76af73d8ba502d10761bc77754fa59e202aa27fe24f982
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 062b438040828180b9a2cd3bb28f7c6605740efa89be2a69993048eede017d59
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96415E30B102159FDB15DF69D994BEEBBB6BF88204F108429E855AB350EF74AC05CB91
                                                                                                                                                                                                                                                                    Function 047B858F Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: 4bfa176729013a322e4a41b12775242b737b81a0cab400521bb936a2e5b93d19
                                                                                                                                                                                                                                                                    • Instruction ID: 3edcbee18ef689576d864ca9673f97f4ed1383270a5a44077c172cb59a59e09a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4bfa176729013a322e4a41b12775242b737b81a0cab400521bb936a2e5b93d19
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E419F39A00605CFDB14DF59C480AAABBF6FF89318B16C959D49AAB351CB34F841CF91
                                                                                                                                                                                                                                                                    Function 047BE7C7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: L<>p
                                                                                                                                                                                                                                                                    • API String ID: 0-3426176556
                                                                                                                                                                                                                                                                    • Opcode ID: 94e1ee39efd583e8af18abe2fe30ffb5370ac1360751fce8a88165131702a5b3
                                                                                                                                                                                                                                                                    • Instruction ID: bf125be1b0ed2b6df5a15b242d4c570590e952666a4ba3367fe194e06afa81a2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94e1ee39efd583e8af18abe2fe30ffb5370ac1360751fce8a88165131702a5b3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F416F31B001159BDB14DF79D4986EEBBFAFFC8600B208829D456E7390DF74AC068BA5
                                                                                                                                                                                                                                                                    Function 047B85B0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: 1d526ec78bfc525d007cce48c2a9a8afc8b30f99a5282f5c5461158642ef0fa7
                                                                                                                                                                                                                                                                    • Instruction ID: 8d2dd04e40c87ec5de8d6c8b7afdb947817b8b8cc346cd63966df6dae09aea2a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d526ec78bfc525d007cce48c2a9a8afc8b30f99a5282f5c5461158642ef0fa7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1417E74A006058FDB14DF59C480AAAB7F6FF89314B16C969D89AAB361CB30F841CF95
                                                                                                                                                                                                                                                                    Function 047B0C1C Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: 816d26e20e7d569b9ac85182f4c6ef9432632342e86fe72d0eddd00744d3babc
                                                                                                                                                                                                                                                                    • Instruction ID: abc06414a77f4af2763944e41320c0a3fa3b0b8099dfe8dda5f73b512bee7e4b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 816d26e20e7d569b9ac85182f4c6ef9432632342e86fe72d0eddd00744d3babc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82310620B083845BE715AB3958343EE7FA3EB86354F5484AAD582EB386CD34AC0587E1
                                                                                                                                                                                                                                                                    Function 047B45C8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: f40844110986ce11ef38b52511d85886e0f49a712f371cdf0a2b0f33bc96f4ac
                                                                                                                                                                                                                                                                    • Instruction ID: 7834c63ac4c21b2a5ba4d310980c8be9ba07f397af173f088a5f8da190834046
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f40844110986ce11ef38b52511d85886e0f49a712f371cdf0a2b0f33bc96f4ac
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E21D0397002018FDB049B2CE444AAD77E7EFC9314325896AE549DB3A6EE34EC028B91
                                                                                                                                                                                                                                                                    Function 047BAAA7 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: n
                                                                                                                                                                                                                                                                    • API String ID: 0-2013832146
                                                                                                                                                                                                                                                                    • Opcode ID: 8db9bdde2a1b92270dfe4450d9bde3a619219908767340418ac10a78ed1c9fd1
                                                                                                                                                                                                                                                                    • Instruction ID: be455a77a56d4c372856092523270047bceb3c5b16122cbe676a7f956ac29cf8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8db9bdde2a1b92270dfe4450d9bde3a619219908767340418ac10a78ed1c9fd1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6219E74E003099FDB45EFA8D590AAEBFB1FF49314F01459AD841AB361DB34A944CB91
                                                                                                                                                                                                                                                                    Function 047B5F38 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: LR^q
                                                                                                                                                                                                                                                                    • API String ID: 0-2625958711
                                                                                                                                                                                                                                                                    • Opcode ID: 6ffb97feda1d56eea27a5cdbd43acd2abb605471414901a0b7559cee82ea0bc3
                                                                                                                                                                                                                                                                    • Instruction ID: 3ebc72a1d784a91d0423fd1dda294e65c522edeeb57412eb2811a093f4ab672a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ffb97feda1d56eea27a5cdbd43acd2abb605471414901a0b7559cee82ea0bc3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C219234B101059FDB049B69C455AEE7BE6EB88614F108419E902A73A0DE746C018F95
                                                                                                                                                                                                                                                                    Function 047BAF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: \;^q
                                                                                                                                                                                                                                                                    • API String ID: 0-2342212615
                                                                                                                                                                                                                                                                    • Opcode ID: 227a701c50154a9e85cc37413338528af6ec05f534d9e5d07ba018ca1bbffe06
                                                                                                                                                                                                                                                                    • Instruction ID: 0b83e35d04ceafb792fde6d2707f5390941df31d098a68a86f42fa36dbed1aa9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 227a701c50154a9e85cc37413338528af6ec05f534d9e5d07ba018ca1bbffe06
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 921186323042014F9B549AAEA884A9BF7DEEFC8665314843BF54DC7758EE75FC054390
                                                                                                                                                                                                                                                                    Function 047B5F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: LR^q
                                                                                                                                                                                                                                                                    • API String ID: 0-2625958711
                                                                                                                                                                                                                                                                    • Opcode ID: 84e5903e7b6b65a3b27e0848deac57210190a32b617bfa4d987ebfeda49fc3e2
                                                                                                                                                                                                                                                                    • Instruction ID: 5f574661ab9c8028fdb2b86c136d77bb5082349cdf53a4c88c54010591d8eb29
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 84e5903e7b6b65a3b27e0848deac57210190a32b617bfa4d987ebfeda49fc3e2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A216234B10115DFDB089B69C455AAEBBF6FB8C614F108419E906AB3A0DE75AC01CFD5
                                                                                                                                                                                                                                                                    Function 047B3370 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: fcq
                                                                                                                                                                                                                                                                    • API String ID: 0-2768158334
                                                                                                                                                                                                                                                                    • Opcode ID: c6c87b75dcd06db340e2b798d5718296fd3a1dc9212c6ce21d1f98ff46092b3b
                                                                                                                                                                                                                                                                    • Instruction ID: db68c87bf26e813101beaa2175d065ae7682ef9e438b83d2658a0c559846c58b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c6c87b75dcd06db340e2b798d5718296fd3a1dc9212c6ce21d1f98ff46092b3b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63110875F042046FCB059FB59854ABFBFAAEBC8700F018029E945D7380DE384D028B92
                                                                                                                                                                                                                                                                    Function 047B3380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: fcq
                                                                                                                                                                                                                                                                    • API String ID: 0-2768158334
                                                                                                                                                                                                                                                                    • Opcode ID: d70c44994d308d9cdeefb38a9c3f438f008416f73dc2fc05d1adbbb399f47989
                                                                                                                                                                                                                                                                    • Instruction ID: 8e6cebb077463b9b6bcfe87ac4f5e0d58e551437fa9e2f205d0ac6d890277101
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d70c44994d308d9cdeefb38a9c3f438f008416f73dc2fc05d1adbbb399f47989
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5211A575B04215AFCB099FB598449BFBFAAFBC8600B108029F909D7380DE385D029BD5
                                                                                                                                                                                                                                                                    Function 047BEA75 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: T;>p
                                                                                                                                                                                                                                                                    • API String ID: 0-1557473241
                                                                                                                                                                                                                                                                    • Opcode ID: fa6453185ac98bd4f3c11afbc36f1ab558d35751a049acec091caed5c8350153
                                                                                                                                                                                                                                                                    • Instruction ID: 4b659a32e2801d9a8af53499d2ce9bc13110ab8a4a9708c0011828e5184237ba
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa6453185ac98bd4f3c11afbc36f1ab558d35751a049acec091caed5c8350153
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FFF0E93A3093511FC70A163CA45016DBFFB6BCA51036904EBD449CB3A3CD199C068365
                                                                                                                                                                                                                                                                    Function 047B99A8 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b3368b79225f79fa54ae9149019b6e024c68fb1f2dc3d97d50c00fa92b874bdb
                                                                                                                                                                                                                                                                    • Instruction ID: 840a685438953e3bd4a6750b7a04eccbfe882d535bb104ed0a69be0ef5a18bf4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b3368b79225f79fa54ae9149019b6e024c68fb1f2dc3d97d50c00fa92b874bdb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B3D126B4A003598FCB05CFA8C888ADDBBF2BF89300F158195D958AB365DB74ED45CB90
                                                                                                                                                                                                                                                                    Function 047BABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f056a9a37d908a65c4cb2b00854626374c3dae82ffa115a957a45d4e8b805f71
                                                                                                                                                                                                                                                                    • Instruction ID: 337c2930dd445122dac3087477ac95afcebcd511385fcd072f45f65299647a8f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f056a9a37d908a65c4cb2b00854626374c3dae82ffa115a957a45d4e8b805f71
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 775156343000118FDB09AF2EC498A6A77E6BFC971132984A9E146CB379EF71EC45CB80
                                                                                                                                                                                                                                                                    Function 047B5483 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 360af53459471f39415bb4812233aa9b5001d75a1ece4a78dea673e7b0e1ffbd
                                                                                                                                                                                                                                                                    • Instruction ID: 0776051575a895f6d14beb47aee67fae0625bd4342696899e7d55f27484900d0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 360af53459471f39415bb4812233aa9b5001d75a1ece4a78dea673e7b0e1ffbd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24513C75A00219EFEB05DBE4D9546AEBBB2FFC9304F004829E601B73A4CE356D49DB61
                                                                                                                                                                                                                                                                    Function 047B34A8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9d7efb94bc9d81cb2f54b13ba9e60da658cfeeebb71a484d915c460e15b83995
                                                                                                                                                                                                                                                                    • Instruction ID: 3931b8b40159a708f19a25769db124b1a53a9cf1ae8a752ec38cbf9dd57c3f55
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d7efb94bc9d81cb2f54b13ba9e60da658cfeeebb71a484d915c460e15b83995
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D751A4347142069FCB05EB38DA5056EBBA7EBC5604B108A29E405DB368EF74FD4E8BD1
                                                                                                                                                                                                                                                                    Function 047B34B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: be089a458692134ede80fa7f8103ab4479b7d8d11ab33b7e9ad3557b20da03db
                                                                                                                                                                                                                                                                    • Instruction ID: 1d1c89e93db60348207c48a5f3974dc8e95ffe3e2aaf33e6745a6dad04ccc4eb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: be089a458692134ede80fa7f8103ab4479b7d8d11ab33b7e9ad3557b20da03db
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A5191347102169FCB05EB68D65056EBBE7EBC5604B108A29E809DB358EF70FD4E8BD1
                                                                                                                                                                                                                                                                    Function 047B5490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 568ad1ce0dedd80f7a81eab1d490b422d38eb40cd817240e37463e672b491410
                                                                                                                                                                                                                                                                    • Instruction ID: b766f045ec4a4d303765c2fc0af74f23606edfc927b07f3aa40f543c83080eb6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 568ad1ce0dedd80f7a81eab1d490b422d38eb40cd817240e37463e672b491410
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF512B34A00219EFEB04EBE4D9546AEBBB6FFC8304F104829E601773A4CE356D49DB65
                                                                                                                                                                                                                                                                    Function 047BB4F7 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e27995dd1c368960946554c5c2f9a4f9c7cdc2a8bfac57a3b2794fddb78b3006
                                                                                                                                                                                                                                                                    • Instruction ID: c236d37d03198fed201f3edab888aa90e1efab71ce27226a76dbd9c027edcaad
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e27995dd1c368960946554c5c2f9a4f9c7cdc2a8bfac57a3b2794fddb78b3006
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63414F759093909FD7129B3898647A63F75EF43314F0640E7D8808F2A3EA749C4AC7A6
                                                                                                                                                                                                                                                                    Function 047BF681 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 517be8249bbcffa07d71e5c19099a62780b134422a6579a0a9f6446ca0d39b51
                                                                                                                                                                                                                                                                    • Instruction ID: 4b7aed9ec9aee89302e79a6ed328178fc6c0b3fa0a4bde51121b8d92f7aa9810
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 517be8249bbcffa07d71e5c19099a62780b134422a6579a0a9f6446ca0d39b51
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BD41C4316042558FCB15DB38D894A6EBFF6EF8A200B0448AAE585C7366DA34DD09CB50
                                                                                                                                                                                                                                                                    Function 047BF649 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 799f2f9fbd472e477a1f5bb1afe054ae71c86cad173a9770d76f160c2a70181a
                                                                                                                                                                                                                                                                    • Instruction ID: 30bfbd9c0fe53f7a2197f91cab6b7a303ce8007e81a5facffec641b2a24dc353
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 799f2f9fbd472e477a1f5bb1afe054ae71c86cad173a9770d76f160c2a70181a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A741D2716042558FCB11CF38C8849AEBFF6EF8A204B044999E482CB366DB34ED46CB51
                                                                                                                                                                                                                                                                    Function 047B2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 36390ed7a685b4c7cfd5bff6148abe69bb72dea681a1ba071f8f8783c5f87f50
                                                                                                                                                                                                                                                                    • Instruction ID: 9e64112e375bcc1a67883fd47442bfea77c14993fe5012c11113dde072b02071
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 36390ed7a685b4c7cfd5bff6148abe69bb72dea681a1ba071f8f8783c5f87f50
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B411835B012089FCB14DF69D8849DEBBB6FF88714B108169E905EB361EB31EC42CB90
                                                                                                                                                                                                                                                                    Function 047BE1E0 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 538a86264eb672b3239efadb4bd3f632476dd0f57efc262ee8415576094dfd74
                                                                                                                                                                                                                                                                    • Instruction ID: 5aebfcd92bf1168163e65931945616b1b351c2d0a06b7d887c79ceede5546f57
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 538a86264eb672b3239efadb4bd3f632476dd0f57efc262ee8415576094dfd74
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4414875E002498FCB14CFA9C5949DEBBB2FF89300F258569E845AB365DB30ED46CB80
                                                                                                                                                                                                                                                                    Function 047BF6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bd2dd0595a817d5993412e35506ef2751ce6a194b9834c3c2a1560dd2fc21b2e
                                                                                                                                                                                                                                                                    • Instruction ID: fda444d42c0bbbc7cc920c3c1fa6e95be145b00464f54e6622ee33778b2870d3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd2dd0595a817d5993412e35506ef2751ce6a194b9834c3c2a1560dd2fc21b2e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D241AD307002558FCB14DB29C888AAEBBFAEFC9304B044969E546C7365DB74EC09CB90
                                                                                                                                                                                                                                                                    Function 047B6720 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 80ec99e23ab4f61945194eb29f1cfd71452e915f3c170ffa7c1bb20106f83216
                                                                                                                                                                                                                                                                    • Instruction ID: 0e45942595e7b6aaf2266bda28271ad17fc839f8b2fa524ebdfbd4f4ff219370
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 80ec99e23ab4f61945194eb29f1cfd71452e915f3c170ffa7c1bb20106f83216
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C941CF34A00208EFDB00DFA8D5446AEBBFAFF85214F0089A9D519AB355DB30FD49CB91
                                                                                                                                                                                                                                                                    Function 047BB080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8949b529805ac0a1a91b4ab9ba8a10f4a5f622e2ad9bc4c35621eead9eb07358
                                                                                                                                                                                                                                                                    • Instruction ID: 91c471145af98d2883cac242ca654350642163494f0631d557295b14b6ec26e7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8949b529805ac0a1a91b4ab9ba8a10f4a5f622e2ad9bc4c35621eead9eb07358
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3318D35B001058FDB10CEA9D980AAAF7EAEF84214B14C16AEA18D7755DB31FC01CB90
                                                                                                                                                                                                                                                                    Function 047B310C Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8940f70e118e7ce3010e4b04370c998461da79f2518b4ee23351e72a95161da8
                                                                                                                                                                                                                                                                    • Instruction ID: a5944e27111bef4787b8d4973463f514ea525f80031b313291a88f29cce6b10d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8940f70e118e7ce3010e4b04370c998461da79f2518b4ee23351e72a95161da8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77214C31A493587FD71126647C247FA7F49DF42329F1180A7FDC89A792C928A8C093D1
                                                                                                                                                                                                                                                                    Function 047B56C3 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b32e5020ba11b3373af0e9bdd0a7cb5ed8059662085f2a13128d804014864cf8
                                                                                                                                                                                                                                                                    • Instruction ID: 9e88fd6fd9785a7e857b66fd59050a5eb74addc44f6ea95b04af1bfdf4af1fed
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b32e5020ba11b3373af0e9bdd0a7cb5ed8059662085f2a13128d804014864cf8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4531C975600209AFEB049BA8E95469DBBB2FFC5304F004D29E605B7364DF35AC09CB61
                                                                                                                                                                                                                                                                    Function 047BC558 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6f0ef79e3f1bf341e7ae475feca201d0173970f87005ab72db341335ca870f1a
                                                                                                                                                                                                                                                                    • Instruction ID: 1d0f2640494863912579701966f3ccf779f49508bb11da49e5898f1e1c22d5a5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f0ef79e3f1bf341e7ae475feca201d0173970f87005ab72db341335ca870f1a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E3181352046418FC326DF34D598A66FBF2EF85304B18CA6DD4868B766CA34EC46CB90
                                                                                                                                                                                                                                                                    Function 0452D6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1861139014.000000000452D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0452D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_452d000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 95392b143e5fd74adf7ee210a5fbf328b9241dc7eaa69413a8e9ba73965c5342
                                                                                                                                                                                                                                                                    • Instruction ID: f5c8a5c7bf5850429e22e2c9e07b0ad9692106817cb924fb4e65fa1ae79f5001
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 95392b143e5fd74adf7ee210a5fbf328b9241dc7eaa69413a8e9ba73965c5342
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F214571604240DFCB05DF14DAC0B2ABF71FB84314F24C56AD8094B296C33AE44AEBA1
                                                                                                                                                                                                                                                                    Function 047BB598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d483588b8a56c81816b10f14e974ff749be2b8dc50268a7552a6ae1ac2e4f301
                                                                                                                                                                                                                                                                    • Instruction ID: 23f70af0f26aa5509827a04215191816875bc06fac1dbc73b1d194b9298154db
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d483588b8a56c81816b10f14e974ff749be2b8dc50268a7552a6ae1ac2e4f301
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D21BE34B00208CFDB149F75E844ABA7BAAFB85705B008476E905DB750EF71EC46CB91
                                                                                                                                                                                                                                                                    Function 047BB930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 804bebf19185e8187ab237b7689fdc201fed6ae72d4ad137fe230df2c6d81801
                                                                                                                                                                                                                                                                    • Instruction ID: 77446e0f129b83ddcf68fa26e967b03ea2a938ed322e20ac4756871c36889529
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 804bebf19185e8187ab237b7689fdc201fed6ae72d4ad137fe230df2c6d81801
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 641190723542018F9754CA6ED884AABF7DAEFC8264714C43BAD89C7799EE71FC018390
                                                                                                                                                                                                                                                                    Function 047B1BB0 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 32c833680fe7f8684cbabd1fb824970a9a12bc1adf6b483057d76656e04ef948
                                                                                                                                                                                                                                                                    • Instruction ID: 3f52a2ec2659853ae8fc336e4261a40edbfa56ab5de2ab454af4ea25c0880fd1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 32c833680fe7f8684cbabd1fb824970a9a12bc1adf6b483057d76656e04ef948
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 67114C25B093802FDB165A7648787EB2F5ADBD12D4F4880A6D9C5CF382DE14EC06C3E0
                                                                                                                                                                                                                                                                    Function 047B0F30 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 370847b6641b1a6adbfb96c57b36e656c4a68a20c903ba3da83692f34b98de36
                                                                                                                                                                                                                                                                    • Instruction ID: 071973cda01a067dae4166b66299691a4c1fdbb8a8bd7b42127116a0d690c132
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 370847b6641b1a6adbfb96c57b36e656c4a68a20c903ba3da83692f34b98de36
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3911882170D3844FCB03173859343ED3B79DB82284B6548E6C58DCF382D908EC0A83D6
                                                                                                                                                                                                                                                                    Function 047B2258 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 29df0027d2751d0847112208fc05bc4482c255d995e3a7ce862a839ce62a9f98
                                                                                                                                                                                                                                                                    • Instruction ID: 98877e707c20cffc9b040951647466d30bfdfa4f07e07c83ab47d2129d0a7286
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29df0027d2751d0847112208fc05bc4482c255d995e3a7ce862a839ce62a9f98
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 83214A75E112089FCB45DF69D888ADEBBB5FF8C710B10816AE905EB321DB31A841CB94
                                                                                                                                                                                                                                                                    Function 047B0F20 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f1fdfedef86d83ea65574ee89c88b4b6be55e7b3404d657f4006ea03a5fda2e1
                                                                                                                                                                                                                                                                    • Instruction ID: 7f75993fee02bc113dea7b2feafc339a2417d579d8d29783622eed765886d021
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f1fdfedef86d83ea65574ee89c88b4b6be55e7b3404d657f4006ea03a5fda2e1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5201B1267093541BCB161B3928783AF7F4BCFC5690F458476ED88CB301DD24EC0582E1
                                                                                                                                                                                                                                                                    Function 047B3A29 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 61fb67ecca1de0a55f1084187f2c869987f589a2e7998fe4f08ec5154cfb13ae
                                                                                                                                                                                                                                                                    • Instruction ID: 80a46a47de025467eeff009e27678ab1c00d873856d33a6ec673e34e8f9dfb93
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61fb67ecca1de0a55f1084187f2c869987f589a2e7998fe4f08ec5154cfb13ae
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC218E30A04244AFDB04DF64D864BDABBB3EF88310F148429E845A7791DF79AC45DBE0
                                                                                                                                                                                                                                                                    Function 047B46A0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0f7c000dd8a19d2de6cfaa7f465e3ba1ebfea6d6c65661e81364ff825ab77041
                                                                                                                                                                                                                                                                    • Instruction ID: a05149d72dab38f2d9d2e00623ab2fc6dfe12abdab2e4ff747d5a0d90a2c1fa3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f7c000dd8a19d2de6cfaa7f465e3ba1ebfea6d6c65661e81364ff825ab77041
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E1136757042808FD7008B28D044AA87BE3EF9931572544D7E986C73A7DE349C03C792
                                                                                                                                                                                                                                                                    Function 047B28F8 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 055bd9d770db508e4466fdab51e634f9e0b30bcc5a52d4bdbc950ea787f945be
                                                                                                                                                                                                                                                                    • Instruction ID: ccb96de244d3c45b649f033d2b55b2752d4f3e89807adbd20397c7d6bfd971b5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 055bd9d770db508e4466fdab51e634f9e0b30bcc5a52d4bdbc950ea787f945be
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C115BA280E3C45FD7039B38A9A92897FB49D1310870A04DBC4C1DF1B3E968994AC7A6
                                                                                                                                                                                                                                                                    Function 047B38C0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 96dbd4e02ab2b43e5a9d05bcd99b93b5529167b4020de102fa9d47de9cf43f9c
                                                                                                                                                                                                                                                                    • Instruction ID: cf50bc2d8527ab0066b4c47acb908c35a643ffd609ba430206178db6394ba729
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96dbd4e02ab2b43e5a9d05bcd99b93b5529167b4020de102fa9d47de9cf43f9c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9511A521B083981BF725267458143AE2FDE8B82618F1544AACDC1CFB82D9A8EC4553E6
                                                                                                                                                                                                                                                                    Function 047B1958 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 06b243b15e7d3dcdc11e1e791c737ff76e0617d7a5c63479231c037e78cffb67
                                                                                                                                                                                                                                                                    • Instruction ID: df00520a9d734aabc1f5c54afaa768b984a0226b7711400cb70305e664daf29b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 06b243b15e7d3dcdc11e1e791c737ff76e0617d7a5c63479231c037e78cffb67
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60215E35600254EFCB04DF64E458AE9BFB7EF8C320F148459E809A7351CA79AC45DBE0
                                                                                                                                                                                                                                                                    Function 047B3A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 713b85e87755084bb9fa6ddb7e5a48bc49e7be51bddc10ae4b0588a275db28f4
                                                                                                                                                                                                                                                                    • Instruction ID: b9a6156af2f23fdaf7c22dc73d69eba97cf93465634244e57c501c2eec0cf58e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 713b85e87755084bb9fa6ddb7e5a48bc49e7be51bddc10ae4b0588a275db28f4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6117230A00205AFDB04DF65D864ADEBBB7EF8C314F148425E805A7794DE79AC45DBE0
                                                                                                                                                                                                                                                                    Function 047B5753 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 37c466d145680a0ae846641855bfa6e7b2e36af20eff59dff530666e436c3628
                                                                                                                                                                                                                                                                    • Instruction ID: e4e01a3807f2b81744a1d9d457ef9e3cace1f7daa4a0ef4943f7c41cb23d02e8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 37c466d145680a0ae846641855bfa6e7b2e36af20eff59dff530666e436c3628
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 06117A726007455FE3115B28A4402D9BF92FBC231C700895BC68ACB6A6DB34B80F8390
                                                                                                                                                                                                                                                                    Function 0452D69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1861139014.000000000452D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0452D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_452d000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                                                                                                                                                                                    • Instruction ID: d8c67995b0de0feb5f2bb5052e425d7cf31fa023771adf635bdd2573b8e6e79f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7211D376504280CFDB16CF10DAC4B16BF71FB94314F28C6AADD094B656C33AE45ADBA2
                                                                                                                                                                                                                                                                    Function 047BA219 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7814bc3603d179b1f8f72c556ccad0cfc886b9e7b4de74e01a855013cc27965e
                                                                                                                                                                                                                                                                    • Instruction ID: b9b5861f5a4370ce5dd3fd364f8d5ca7ffd2e014736a13e8e985f53a6a5e5376
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7814bc3603d179b1f8f72c556ccad0cfc886b9e7b4de74e01a855013cc27965e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 35119D34B042098BCB04DF69C980BDEBBF1AF88310F218569D881AB391CB31ED05CB90
                                                                                                                                                                                                                                                                    Function 047BAAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2440552a51a8734c0076876c4021d8198997ae38ed0957048bf0e6a1974c0b1a
                                                                                                                                                                                                                                                                    • Instruction ID: 1d9c0533936af3e0651a6cdc90e2d85052c513dbddf93737f88d92c9c1c394ff
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2440552a51a8734c0076876c4021d8198997ae38ed0957048bf0e6a1974c0b1a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE212E74E00209DFDB44EFA8C580AAEBBF2FF88314F504599D945B7364DB34AA40CB91
                                                                                                                                                                                                                                                                    Function 047B1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e06f83d83e5f11f4f34ce7c9c9845b8c94922bf95ef95c89ae3ad6bafb316b4a
                                                                                                                                                                                                                                                                    • Instruction ID: c9f99c1b633af9e90e6e84700869c9defed62faeaa14b6c6464a387b87af51de
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e06f83d83e5f11f4f34ce7c9c9845b8c94922bf95ef95c89ae3ad6bafb316b4a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E2102B1D002498EDB10DFAAC484BEEFBF0FF88324F10852AD459A7240C775A945CFA5
                                                                                                                                                                                                                                                                    Function 047B0F40 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e9d49905f08d977cfaab9ca86b1ff8647934ae68bf5baaeaf1c5f23702955c0d
                                                                                                                                                                                                                                                                    • Instruction ID: b27ac73f1dd6e009100f82a8ce39ece71ef15372fa9a8edcb5b94543324c10f7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9d49905f08d977cfaab9ca86b1ff8647934ae68bf5baaeaf1c5f23702955c0d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF1149702483849FE305A770E878BAA7BE1EB41304FA548DAD589CF7D2CA65F844C792
                                                                                                                                                                                                                                                                    Function 047B46C8 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 36847e0b74004ceb356fbde6d8d2fbc9cb11c5858bc25791edace615b54ba1c6
                                                                                                                                                                                                                                                                    • Instruction ID: a2623019a7132bb7806a6890f178671c90bc295a6d3931159e9d05cdbeabef73
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 36847e0b74004ceb356fbde6d8d2fbc9cb11c5858bc25791edace615b54ba1c6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E11E338B052449FCB04DB68D444A9DBBF6EF89315F1145EBE584CB3A2DA389C06CB81
                                                                                                                                                                                                                                                                    Function 047B1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 830b7c949dcfde155c121f67691c308b27fc7e82251679911f6194f04010dfd2
                                                                                                                                                                                                                                                                    • Instruction ID: 99a6520f596a25334786c60bdd8b02a02f710be8c92b16eb59dfb99475792542
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 830b7c949dcfde155c121f67691c308b27fc7e82251679911f6194f04010dfd2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C1110B0D002498BDB10DFAAC480BEEFBF4FB88324F10802AD459A7240C774A945CFA5
                                                                                                                                                                                                                                                                    Function 047B2998 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 90382d5a3e7fefd8b2d3f2c1f8ea383909a4e417efb730bb26758765214ae169
                                                                                                                                                                                                                                                                    • Instruction ID: 4bf1de57b22eeafbb23da516dce1beab57bad20b8dbb59b7c45bedddb62fe9a8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 90382d5a3e7fefd8b2d3f2c1f8ea383909a4e417efb730bb26758765214ae169
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2611217190A3809FC702CB74A9553C83FA4EF83208B1545EBD084AF273E9206C0A87D6
                                                                                                                                                                                                                                                                    Function 047B1440 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1bf9a4cea625b35a62f6db80dff5b84987049df0ca535bc5eea10059ec73b42b
                                                                                                                                                                                                                                                                    • Instruction ID: 1cd9042030a4b58623f0f9cb9c3a37b7b84d13ac2ef0d6d9e51befc6bb0c20f3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1bf9a4cea625b35a62f6db80dff5b84987049df0ca535bc5eea10059ec73b42b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A01DD30619349AFC7099F3479352567FEADFC26443094DEAD589CF253E914D805C3E2
                                                                                                                                                                                                                                                                    Function 047B1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b72ad43b3200f4734fd9628b5991d7fa4ab7cc32ca6f5e6d10ed89b0cd7a004f
                                                                                                                                                                                                                                                                    • Instruction ID: b0c953f86b751475d3ef84ad3e82dfbe696a08fea14fbd209cad0458ca69ce23
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b72ad43b3200f4734fd9628b5991d7fa4ab7cc32ca6f5e6d10ed89b0cd7a004f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 85112B31600255EFCB04DF64E458AE97FB7EF8C320F148459E80AA7391CB79AC45DBA0
                                                                                                                                                                                                                                                                    Function 047B182B Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: fefdd9c2267eb577ef5f3e978a2468d036c5a927917091fe0d30b01e922bb339
                                                                                                                                                                                                                                                                    • Instruction ID: 8c1b19b3f95d812b694ec2d4eeed125910c087e30974124b1ae520c575b06a65
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fefdd9c2267eb577ef5f3e978a2468d036c5a927917091fe0d30b01e922bb339
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4001F270A0020597EB18EA6885687EFBAE6EBC8354F14812EE042B7380CE75AC01CBD0
                                                                                                                                                                                                                                                                    Function 0452D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1861139014.000000000452D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0452D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_452d000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: aea55939778e3cd5cb2a820ac992945714e653c29cc19b879b7a718a59dddba0
                                                                                                                                                                                                                                                                    • Instruction ID: 8be0b8e9e4ac68754446fa606b2f9c4a738fadb0f2e7106467d8b26790f970a7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aea55939778e3cd5cb2a820ac992945714e653c29cc19b879b7a718a59dddba0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BD01DB715083509AE7108F26EE84767BFA8FF42324F18C52BED484B1D6E279E849D6B1
                                                                                                                                                                                                                                                                    Function 0452D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1861139014.000000000452D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0452D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_452d000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0546d21853d10d89a0a36cdc24b586353731592a9300c5a0410dc91914fcf819
                                                                                                                                                                                                                                                                    • Instruction ID: 6d052937cba1e7cdb49e1a224d25121b0482f8c0f2165bd58a7a32cb40977ec4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0546d21853d10d89a0a36cdc24b586353731592a9300c5a0410dc91914fcf819
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98014C7140E3D09EE7128B259994B56BFB4EF43224F19C1CBD8888F1A3D2699849C772
                                                                                                                                                                                                                                                                    Function 047BCB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b8ac017b17c019e25208477d6dc4183d5e525229bcfcf3cd52220a0c4444a3b8
                                                                                                                                                                                                                                                                    • Instruction ID: 4c093ad9d9957cd687642d9e360c9b2be31250df0fa1bf90faf3b2dae24b19e0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b8ac017b17c019e25208477d6dc4183d5e525229bcfcf3cd52220a0c4444a3b8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FFF090363181255FA7058A6DAC84AAFB7EAFBC4A69314453EE509C3350DF61DC0287D0
                                                                                                                                                                                                                                                                    Function 047B4F3E Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 323aea4e28860ae904fcab32d172dd189688bffbf03d582b2a56e4e52406400a
                                                                                                                                                                                                                                                                    • Instruction ID: 4a4e29773d85e18e18793c753f97d38bf397b0e72400b7634e8f20cef4305cb5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 323aea4e28860ae904fcab32d172dd189688bffbf03d582b2a56e4e52406400a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B011231740105CFCB01DF68D98099ABBA1FF843187148666E5199F36ADB31FD0ACBD0
                                                                                                                                                                                                                                                                    Function 047BB920 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: aa328dc682efee2377ad5b24fe1ef9a3c265306c567fb181b4e10e8bb08bf571
                                                                                                                                                                                                                                                                    • Instruction ID: c152e62be496355f698295db9414d51e123697fdf5ea9da6e6d090cc90340ee7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa328dc682efee2377ad5b24fe1ef9a3c265306c567fb181b4e10e8bb08bf571
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D201D6717443004FD754CA28D8A0B6ABBD69F89361F05807ADD88C7796DE35FC01C750
                                                                                                                                                                                                                                                                    Function 047BB070 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b980127faf836aa1bad4fa2f7b6b8594abf31b89adfcf2a7a1987895dec0b975
                                                                                                                                                                                                                                                                    • Instruction ID: ab53b973e7d2550db7fdf21fa6130feb11bfb53a3a395c528405efffa222311e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b980127faf836aa1bad4fa2f7b6b8594abf31b89adfcf2a7a1987895dec0b975
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E012635B042018FD705CBA4D840369FBE6EF85200F05C57AC558C7795DF34E806CB91
                                                                                                                                                                                                                                                                    Function 047BE3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 34a27e7cef6b9c3e59cb911b637a31d922ad9f3e262593b65fdc29bca76a05ae
                                                                                                                                                                                                                                                                    • Instruction ID: 28d8a4070ee371b6d65fca84aaaba6879bf6a89a0dff3c1ebb5e3b3a5739a08c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34a27e7cef6b9c3e59cb911b637a31d922ad9f3e262593b65fdc29bca76a05ae
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A201D6767002114FE7019BA898513ED77A2FBC8214F148556E645AB344DBB0FC4A87D1
                                                                                                                                                                                                                                                                    Function 047BE36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: fc02468203d873f40180c1bc812233fd589dbaf064be09cbdd8e57242b5c1112
                                                                                                                                                                                                                                                                    • Instruction ID: 43932d08958d433fea80df171d928eb648376217e23dac835ae66cae4bc9e5df
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc02468203d873f40180c1bc812233fd589dbaf064be09cbdd8e57242b5c1112
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76F0F437B402104FE70297A888503AD77A3FBC8614F158966EA45AB340DFB0FC0A87D0
                                                                                                                                                                                                                                                                    Function 047B56D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b782cbc2f88d79908550d21a49d48c6bead8a0b965c37e0e225074e5a57a09b4
                                                                                                                                                                                                                                                                    • Instruction ID: 3fe107b3832578c7f33615b18313f239f85f485162dd1026050b90515270a998
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b782cbc2f88d79908550d21a49d48c6bead8a0b965c37e0e225074e5a57a09b4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BCF0FF312002096BE714A7B9940056EBAD6EBC23187404E29E60AEB754DFB9BC0D87B5
                                                                                                                                                                                                                                                                    Function 047BAF00 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0eadb98c86c1023a6b0cb741c0a76a3d58ac7e28be5277e19adb73ebf0725a5f
                                                                                                                                                                                                                                                                    • Instruction ID: 4219cbd4337fd6b1627bb34b59defb5dd01653349ef4a8e8b07f51c15c0c2df8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0eadb98c86c1023a6b0cb741c0a76a3d58ac7e28be5277e19adb73ebf0725a5f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DF027B27042010FDB555AAE6C80AD7ABD9EFCA668705C46BE01CC7356FE70DC0643A0
                                                                                                                                                                                                                                                                    Function 047B1431 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c577e5c0383e428ec9c8ef5606dab6ca4676d6365ebd209a102ff510a214935a
                                                                                                                                                                                                                                                                    • Instruction ID: 4a653f2e0b1dda370fa32616219a3f1438b672e5e18516ea2bb419d4446684e7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c577e5c0383e428ec9c8ef5606dab6ca4676d6365ebd209a102ff510a214935a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 21F02830A04345AEC70D9F3874352997FDAEBC27543490CAAC185CF352E928D80583E3
                                                                                                                                                                                                                                                                    Function 047BCB7F Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ef43d03de4c99f37ccbf5a58a376cde6c14a83b9756b5a155af4f65b37b9487c
                                                                                                                                                                                                                                                                    • Instruction ID: f17b711f916215141e98453ca094d7125387ed2272e9b998fc99b4695d7de9cb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef43d03de4c99f37ccbf5a58a376cde6c14a83b9756b5a155af4f65b37b9487c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36F0F0363082550FE7064B28E8907AE7BE6EF84654B0540AED848C73A2DE74CC06C380
                                                                                                                                                                                                                                                                    Function 047B3C89 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8ce0e2cb59e49ff48005b56c8b0bfe1ee15b6373d7a80d28a05f3d812d16424b
                                                                                                                                                                                                                                                                    • Instruction ID: d70456542bff1493e4b9fd366f115952fd88adf137b3dfdb476d86eeeaa3d7bc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ce0e2cb59e49ff48005b56c8b0bfe1ee15b6373d7a80d28a05f3d812d16424b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6F0A43625D28A8FEF028BB8FD557947F68E741308B041662F445CF267DB60E84D9B80
                                                                                                                                                                                                                                                                    Function 047BA369 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f9d7bd84ada31e8733ef37cc25bc48663db853901247c9f2d109734a45ed29bc
                                                                                                                                                                                                                                                                    • Instruction ID: aa157280d5b070ef32cbb214b7d5aee984f08af2b96a655c5e246a259032e48b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f9d7bd84ada31e8733ef37cc25bc48663db853901247c9f2d109734a45ed29bc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FAF024327093918FDB066B359804658BF66AF82218F2880EDC8480F247DE329C03C7E5
                                                                                                                                                                                                                                                                    Function 047B45B8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 70fa969ab052a96f8b54962bd3f5c418537d050a9f2f620db30e059cc66125bf
                                                                                                                                                                                                                                                                    • Instruction ID: 804e361350c095ab15a43a35d778c72a0f408496269ac73e4818a5313e41ca80
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70fa969ab052a96f8b54962bd3f5c418537d050a9f2f620db30e059cc66125bf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09F0E9353042428FD7119B7CE950A6D7FE29FCA3047154969E445DB376EB30EC06CB60
                                                                                                                                                                                                                                                                    Function 047BC688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a7101b0fb8bb461abef5a786461b5915370015c1c3b181da58c20f7f6fb85846
                                                                                                                                                                                                                                                                    • Instruction ID: f04424e8914f74cab62d9030e921cd8de3a701679ee84608ab2f31c93bd667b5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7101b0fb8bb461abef5a786461b5915370015c1c3b181da58c20f7f6fb85846
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0F023353002114FC704D775D500996B7DBAF88294304D1B9D908C7734EE71DC02C7C0
                                                                                                                                                                                                                                                                    Function 047B68D1 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ee82997e8d2d306d737db94908f8e78419931ed66bcdc270186d8205c343e45f
                                                                                                                                                                                                                                                                    • Instruction ID: 2b77ceaef6138325cf519d016db1998921995233041950fcf3f946ab8ec8c716
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ee82997e8d2d306d737db94908f8e78419931ed66bcdc270186d8205c343e45f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BEF036767442455FD706CB54D400A9CBFE6AF85350B0A809AD988CB252D734D915CB51
                                                                                                                                                                                                                                                                    Function 047B38B0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4114e06e17162571cc629c860d15fc8452aa5417f65b707bdeedf46753035782
                                                                                                                                                                                                                                                                    • Instruction ID: 988e7766d60734babd0296b2e8f290f17e2406c75ba178a91860fb1774c59353
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4114e06e17162571cc629c860d15fc8452aa5417f65b707bdeedf46753035782
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4BF0371171875C1AFB25156459103EA2ECD4B4271CF17017BCCC18FB87E5D4E8C183E2
                                                                                                                                                                                                                                                                    Function 047B4553 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 39dbbcdb5a3f006e20fb67a07bc5c123e1028c568b12cf99486c9d703cf67dac
                                                                                                                                                                                                                                                                    • Instruction ID: 72e99d0289f0508aae8b8b1b66e32fd34b3402e3a50c66bcfe2a36a9a697453c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39dbbcdb5a3f006e20fb67a07bc5c123e1028c568b12cf99486c9d703cf67dac
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0EF027323486450FE306A378AA5025C7BD2EFC225430149BEE69DDB3A2DE24ED09C395
                                                                                                                                                                                                                                                                    Function 047BC4C9 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4015b1c54803eea3edd888314a034f1132f87216cef4075782f873fff674d040
                                                                                                                                                                                                                                                                    • Instruction ID: 2c393709aed57fcb8215b1017dbc4fb60d56cb84d1981a6fe1ccaca37926b3d9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4015b1c54803eea3edd888314a034f1132f87216cef4075782f873fff674d040
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 85F027753043014FD3239A24D8007E977628F81391F55C26EC5C48A6E9EF64E848C381
                                                                                                                                                                                                                                                                    Function 047B4560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ddd5f478b496934d1842b09606ed145e303ac13e16a0147601707ee2f12ef441
                                                                                                                                                                                                                                                                    • Instruction ID: 39041cb09f97911919ede23ccbcd8fa35c09b7aa95c20a037a06a41ebcc31257
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ddd5f478b496934d1842b09606ed145e303ac13e16a0147601707ee2f12ef441
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ADE02B323005151BD215A77DA90055EB6C6EFC52A4300497DF21DD7350DE24FC4943D8
                                                                                                                                                                                                                                                                    Function 047B57A8 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8b21593f4f8c889ef9839fd991fcdb0b405ef71b2753757e8e1775e673db5656
                                                                                                                                                                                                                                                                    • Instruction ID: fc6b34095c6c51ca74fe6b36853ac32d5f8a12ab0b2ef3da538228e75112f73b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b21593f4f8c889ef9839fd991fcdb0b405ef71b2753757e8e1775e673db5656
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CF0E9353043418FD711D738E8507583BD6AF8621870948BAD484CB3B6DF30EC45D350
                                                                                                                                                                                                                                                                    Function 047B6038 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e55500b97999624f1c7769acf4003949beb74b9f3ff5efec9c90d7d2f3c41627
                                                                                                                                                                                                                                                                    • Instruction ID: 57f55d054d7d6f23d4e753eb73d3f2e828ba702b571b166548d3e43796ef28dd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e55500b97999624f1c7769acf4003949beb74b9f3ff5efec9c90d7d2f3c41627
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7EF0FC36108BD08EC3269B54E404385BFE1EF8130CF054C5DC1C6476A2EBF4A548C746
                                                                                                                                                                                                                                                                    Function 047B6880 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9752e261fa196c125de482f83f99b03571a259ef08f8e9a3e7f716f7161ca34a
                                                                                                                                                                                                                                                                    • Instruction ID: 514551632aa58df08dba0cba171c2713838dc870bf8938d81496ed7cc39e77b1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9752e261fa196c125de482f83f99b03571a259ef08f8e9a3e7f716f7161ca34a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46F01DA250D3C26FC3234B38AD20651BFB19FA7211F0B46D7D8C0CB1E7E6289856C362
                                                                                                                                                                                                                                                                    Function 047B36A9 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8a4bf07a491edf86818f28b45666f28e76ee2b98dffa744ec95346b983753e1e
                                                                                                                                                                                                                                                                    • Instruction ID: cf55ee59bb9012ea0481da2e3a27476d10b6841a5d273fab1ddb709dd652fc01
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a4bf07a491edf86818f28b45666f28e76ee2b98dffa744ec95346b983753e1e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B3F08CB0E0829AAFCB50EF798C003EEBFE49B45214F1145AEC899E7391F63496518BC1
                                                                                                                                                                                                                                                                    Function 047BAB90 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d6989eb21683dad29839e51fe05b067c410e927ab553c1626326802176713f33
                                                                                                                                                                                                                                                                    • Instruction ID: 69631b9779bb37e28dfe30516ce289d62a589acfd8ce004bfecd168b6b251ba7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d6989eb21683dad29839e51fe05b067c410e927ab553c1626326802176713f33
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AAE092753092508FC7085B39F4946687BE7EFC9322B5A41FAEA8AC73B2DE658C15C740
                                                                                                                                                                                                                                                                    Function 047BC678 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 58ea20c55b65c50a5d6afed7c2484de29188cddff085376e0ab676739f076d48
                                                                                                                                                                                                                                                                    • Instruction ID: 9d0676c4f55e8985203a524992f0a06c9ca32fbcb3e98f2a7ce68e2b51842b04
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 58ea20c55b65c50a5d6afed7c2484de29188cddff085376e0ab676739f076d48
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02E0267A6083425FC31652719904B92FF9A9F46258F09C1EEDE804B3A6EF76DC42C7D1
                                                                                                                                                                                                                                                                    Function 047B36B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                    • Instruction ID: 84c9d58a3f07cf0f9877b071a8565d3de66ab9ebddd2bdb4fc16351e15cd5151
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EE01270F0021ADF8B40DFA999002EEBBF8AF48144B108569C959E7300F332AA51CBD0
                                                                                                                                                                                                                                                                    Function 047B6AAF Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1b287ff0befa5a99eb33e06e03088d25e00ebfc93047fe928411516837c636f6
                                                                                                                                                                                                                                                                    • Instruction ID: 67904665a2a69c2f050ee68fa6d46a872dd320f8a3cf70343ff43c2cc52d8609
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b287ff0befa5a99eb33e06e03088d25e00ebfc93047fe928411516837c636f6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C9F06DB92042858FE311CF5CD890E917FE1AF55204B1681AAD988CB3A3D725ED1ACB50
                                                                                                                                                                                                                                                                    Function 047B3CC0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a98b062004b43f3f782a49d3b715a1a053cb318eb39a794ecb1bc6683a2e68d7
                                                                                                                                                                                                                                                                    • Instruction ID: 9ee006cbef5a0e7627cc295c960566383f79223ce1380c3d48dcb845131d1dab
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a98b062004b43f3f782a49d3b715a1a053cb318eb39a794ecb1bc6683a2e68d7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46E0D82A3452900BC7060668702C3A87F52CBD2555B09049FCA45C72D2CE155C49C356
                                                                                                                                                                                                                                                                    Function 047BC1D0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 03959a6d01c8e6adf9e733d2894feb036ff63da47f855924c028312f14847760
                                                                                                                                                                                                                                                                    • Instruction ID: a737b0edbb487f6f43fddd35a3e07141b9a5a228c5d8c89cf52243335570a3a8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 03959a6d01c8e6adf9e733d2894feb036ff63da47f855924c028312f14847760
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92E022762087410FC3066B34E51835C3FD2EBC6369F050EAEC8C6832D2DE28AC46CB55
                                                                                                                                                                                                                                                                    Function 047B17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d7b8d1a234d944d9cb69bc31935a50a1ff7fa9d26582d12ddde82934a6a037df
                                                                                                                                                                                                                                                                    • Instruction ID: 5e72032f0a79a73c14161cdb2792f55c077044eb5ca36363de9035c9dac665cb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7b8d1a234d944d9cb69bc31935a50a1ff7fa9d26582d12ddde82934a6a037df
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 81E02B3351D2885FC7061B21A8265DA3FB8D75A16231500E3F8C08B362DD616C14C3D0
                                                                                                                                                                                                                                                                    Function 047BC1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8e5f696344dc2782ea57706c18b51714d5d2389507feed2d1efa1bdedf9c1cef
                                                                                                                                                                                                                                                                    • Instruction ID: 95397376511365284bd46364e28932af987d24b221c2e3a542c27e52244fc12a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e5f696344dc2782ea57706c18b51714d5d2389507feed2d1efa1bdedf9c1cef
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50E0C2352003144BC6147768E10855E7BDAFBC9B69B000D2DE54683740CE75BC458BE8
                                                                                                                                                                                                                                                                    Function 047B3CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bcfd97b28d741de39ed0f2b199cea445d4fd01babc6e5fe0c6fca8d2e29a0ddf
                                                                                                                                                                                                                                                                    • Instruction ID: 70683e9814e61e4a0fe43814d60cc276cc06d1bbb6bf7e8f0d92c3cf63c39736
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcfd97b28d741de39ed0f2b199cea445d4fd01babc6e5fe0c6fca8d2e29a0ddf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AD0A73E34012413060522DE742C56EB7DECBC5D61304093FEE09C3380CE55AC8A53E5
                                                                                                                                                                                                                                                                    Function 047B6AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 75a2926ab5f425c1c76017556196bc1d7f03ef150d45d5828cd2d529abf003a9
                                                                                                                                                                                                                                                                    • Instruction ID: 6d02d943665cd0f8eebe208cd1cadb2092a213cfd5476fe732d8056a73efafc8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75a2926ab5f425c1c76017556196bc1d7f03ef150d45d5828cd2d529abf003a9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ADE0EC753042049FD714DF5CD980C91BBE9EF59254356C19AE988CB362D722FD16CB90
                                                                                                                                                                                                                                                                    Function 047B46D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bb7ed8d937738f1d343a21d192f5c6079853275b236ff489fb180936f576ca6e
                                                                                                                                                                                                                                                                    • Instruction ID: 836211e9d6effc85b5edeee3a83d94b4ed931fb54d60d2f4f050daa1dec450e1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb7ed8d937738f1d343a21d192f5c6079853275b236ff489fb180936f576ca6e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AEE0B674E0420CAFCB44EFE8D54459DFBF5EB88300F0085AAE809E7354EA385A44CF81
                                                                                                                                                                                                                                                                    Function 047B1C29 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ab03abc99df09a654832c19e8b6b83eeb7272cb84a3f847858ae46b4009d3462
                                                                                                                                                                                                                                                                    • Instruction ID: 7a4069ecfb4a0426f39ed58f046178babc370ca877f5c4879372a1bcdaf10b24
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab03abc99df09a654832c19e8b6b83eeb7272cb84a3f847858ae46b4009d3462
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6D0234B90A22837C717205429113DF670AC787B50F410D73E4DC8630241096D0A01F6
                                                                                                                                                                                                                                                                    Function 047B3CFF Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7b79f64b7e24e120c45c8b48581466dbd5140a59ed4c5d5ea43e95c332319771
                                                                                                                                                                                                                                                                    • Instruction ID: f82382383ec19fdefe227ed58931a89bd1fd39353a86927ed0f34326bb4a2f3f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b79f64b7e24e120c45c8b48581466dbd5140a59ed4c5d5ea43e95c332319771
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66E0926080C2CB9ED702AB30E5547583FB0DB12308F2505DADC848A1F3DE561516D302
                                                                                                                                                                                                                                                                    Function 047B3938 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7c948f6d5086eac5dc6ec5f9d0e0bf06803408c1dd385813c783c444b8d27f44
                                                                                                                                                                                                                                                                    • Instruction ID: 2c179e43c3d6054aa16087e5a601e56a72d3de8a4624b742744ed662b6b7a09c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c948f6d5086eac5dc6ec5f9d0e0bf06803408c1dd385813c783c444b8d27f44
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 39D02B11F4D3946FC3202164180479F7F8D4B42610F0144E7DDC49F342D86CDC4043D1
                                                                                                                                                                                                                                                                    Function 047B0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: fea55d2874d455f6489433aead2233244c45dc062b34d1ffd478e0bf69cf5512
                                                                                                                                                                                                                                                                    • Instruction ID: d71331f38290c19baf9a8b2ce80c727eb75cd39df2b32b4f7b8184de9529157e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fea55d2874d455f6489433aead2233244c45dc062b34d1ffd478e0bf69cf5512
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77D0A7323141186B56046619D89A9AABB99E7892A03504433F98283324DD60BC4493D5
                                                                                                                                                                                                                                                                    Function 047B3D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a817a806593a101d912371c907fd251fe9f203bfcb30288f4166f92a753a7e7d
                                                                                                                                                                                                                                                                    • Instruction ID: f307d1bc105e607f0470b3b4c7458f506111197afec3c7e95bee2e57170f0122
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a817a806593a101d912371c907fd251fe9f203bfcb30288f4166f92a753a7e7d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 74D01730A4510DEFCB00DFB8EA0155DBBF9EB85204B1049E9E808E7350EF316E049B91
                                                                                                                                                                                                                                                                    Function 047B0440 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 666f248a185beaa67be3de064e1190c2d568bb622ab604503885a0809092323b
                                                                                                                                                                                                                                                                    • Instruction ID: 554c82aec367e1e24e3810c12b223d6e73882441c4df6714bfa8b38a9b6dc907
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 666f248a185beaa67be3de064e1190c2d568bb622ab604503885a0809092323b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DD05EB511D3C0AFC30247945554099BF61BA6330878AC296C08488217C225D492E3B1
                                                                                                                                                                                                                                                                    Function 047BE32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2505c63911adaf193d1c0babe7ff7cc58ce3946bf717a9ec3faa7f2d6878374d
                                                                                                                                                                                                                                                                    • Instruction ID: fd40287ccc508991f25d3096a97b15dbf0b3b57232a5b4986db02b970ac690d8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2505c63911adaf193d1c0babe7ff7cc58ce3946bf717a9ec3faa7f2d6878374d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4E0E270A0460ACBDB149FE1C5A8BEE7771BB04709F204818D406AA384DBB8A90ACF91
                                                                                                                                                                                                                                                                    Function 047B2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 449078b04a66497e29463e4806a81941b99fd2a06767a419e645d4944b6fc2f5
                                                                                                                                                                                                                                                                    • Instruction ID: bfde70d5bd0c6a4d49196fe6430cea71bdd6c954e91370c74eaa92b3a921cd87
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 449078b04a66497e29463e4806a81941b99fd2a06767a419e645d4944b6fc2f5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E5D05E70905209EFCF04DFB5E94195EBFFDEB44204B2086A6D408DB211EA305E05CB81
                                                                                                                                                                                                                                                                    Function 047B3C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d4cfbf858a73d19f75090f16543e1f62eacb855269ba0ec39aadb369b7fb6709
                                                                                                                                                                                                                                                                    • Instruction ID: 2d288c030948329c19c4c111735f0209002aab7a8b0d5d2a4bdbfc6e07603c9f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4cfbf858a73d19f75090f16543e1f62eacb855269ba0ec39aadb369b7fb6709
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0BD0C9303142088B8B489BE5E5596657799DB8860430488ADA80ACB381EB26F8568680
                                                                                                                                                                                                                                                                    Function 047B0F50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 617504333967468cb26308e57df5c232803c3c38d08b79d3ffc45a29ccdb1ae3
                                                                                                                                                                                                                                                                    • Instruction ID: d5407f99be05658db9ec252bc062ff4e9ecf2fc7c3dac4ff6a570aadcb16f6cd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 617504333967468cb26308e57df5c232803c3c38d08b79d3ffc45a29ccdb1ae3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 53C080207503088EE9012766262C37A714FD740544F404C14A94E95308DC24F44401C4
                                                                                                                                                                                                                                                                    Function 047B46B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4f3d15aa2690c0dd0fa08b6b9658811324984601f6832c6a88edda80d09f8ee3
                                                                                                                                                                                                                                                                    • Instruction ID: 8852bc75330cb5a187c575a93f3f2af58861646f397a09c9751e9f2e8b52842f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f3d15aa2690c0dd0fa08b6b9658811324984601f6832c6a88edda80d09f8ee3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BEB0927094530CAF8620DB99990185ABBACDA0A310F0001D9F90887320D976E91056D1
                                                                                                                                                                                                                                                                    Function 047B0E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ee3c284de605d844b24af9f21bceac4c121fff07b846176ce25c7681e527b0d9
                                                                                                                                                                                                                                                                    • Instruction ID: 96f396f110060ebdbdb0b8b820353e9a4515b5576d0d79d98169bbe645107539
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ee3c284de605d844b24af9f21bceac4c121fff07b846176ce25c7681e527b0d9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0AB01285754000167900AB3648E46F78087D6C0244BC4CC206543A421C5C24F0001044
                                                                                                                                                                                                                                                                    Function 047BCAF0 Relevance: .0, Instructions: 3COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 757bcef925ace33ab9e58e983ad1b76ace515cb9225a2b4e8c51e462eece159b
                                                                                                                                                                                                                                                                    • Instruction ID: 58f5b0fa4511bfb3bdadcfff73337b31b278137d08a0624c204a477b840551b2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 757bcef925ace33ab9e58e983ad1b76ace515cb9225a2b4e8c51e462eece159b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash:

                                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                                    Function 047BF7E8 Relevance: 7.6, Strings: 6, Instructions: 142COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$,bq$,bq$Hbq$`]cq$`]cq
                                                                                                                                                                                                                                                                    • API String ID: 0-2072144370
                                                                                                                                                                                                                                                                    • Opcode ID: dfcd60f9751805aef9a4dc1bb2880bdf7c358c61df13ecfe6f94298297c9782d
                                                                                                                                                                                                                                                                    • Instruction ID: 50fd73ff60f141630ebe1d52733b5d292dd92a408bb10d3635b5ae84d38afbd5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dfcd60f9751805aef9a4dc1bb2880bdf7c358c61df13ecfe6f94298297c9782d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1412A317042248FDB146F3DA81456D3BEAEFCAA6132508ABD586DB3A1CE35EC05C7D9
                                                                                                                                                                                                                                                                    Function 047BEFF8 Relevance: 5.2, Strings: 4, Instructions: 233COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$(bq$,bq$,bq
                                                                                                                                                                                                                                                                    • API String ID: 0-3352830385
                                                                                                                                                                                                                                                                    • Opcode ID: 1d4759fc3eaaca37c63610ce1f991ae80802a79064f273c02bbff141c48ac405
                                                                                                                                                                                                                                                                    • Instruction ID: a70e72f884e2414ec999f0130692df6990c4f604c7b4ca6abb5075c739767185
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d4759fc3eaaca37c63610ce1f991ae80802a79064f273c02bbff141c48ac405
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E81A1357006058FDB14DF69C994AAEBBF2EF89744B208469D546EB3A1DF31EC02CB91
                                                                                                                                                                                                                                                                    Function 047BC2D0 Relevance: 5.2, Strings: 4, Instructions: 173COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000003.1860496181.00000000047B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_3_47b0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq$(bq$(bq$Xbq
                                                                                                                                                                                                                                                                    • API String ID: 0-2547123440
                                                                                                                                                                                                                                                                    • Opcode ID: 97846981a8f000e4c9be2cafcf00b7964c20b28cd0231d8de2d9006e090e5bde
                                                                                                                                                                                                                                                                    • Instruction ID: 82752bf8866dde55d5fbd1df3680221fcbff762fa4d6e6154cf89ad97ec042b5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 97846981a8f000e4c9be2cafcf00b7964c20b28cd0231d8de2d9006e090e5bde
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B051E4353087904FD3269B38D45466E7FE2AFC6244B1985AEC486CB7E2DE28EC06C791

                                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                                    Function 046A50B8 Relevance: .3, Instructions: 283COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 55e3ff25a7de7216b02be01746a29670361585792f691cc6feb6cf1a95393d61
                                                                                                                                                                                                                                                                    • Instruction ID: 33bb6aa7a3117dbcaa96fef7e5ba4953dcac8e095d1888a1369f32a0a78310a2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 55e3ff25a7de7216b02be01746a29670361585792f691cc6feb6cf1a95393d61
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 91B12B70E00619EFDB14CFA9C8857ADBBF1AF88318F148529D816A7354FB74A856CF81
                                                                                                                                                                                                                                                                    Function 046A59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f0dad90ba273a9e6d73f688464d4ec9d33754824300eedd6b4168aaf1b4ad709
                                                                                                                                                                                                                                                                    • Instruction ID: c4d071852f9a029a97f4382f757e91c60205e733d16fda03d3360cf233cb7bbf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f0dad90ba273a9e6d73f688464d4ec9d33754824300eedd6b4168aaf1b4ad709
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 72B15EB0E00619EFDB10CFA8D89179DBBF2AF88314F148529D816A7354EB74AC56CF81
                                                                                                                                                                                                                                                                    Function 046A1630 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: $^q$$^q
                                                                                                                                                                                                                                                                    • API String ID: 0-355816377
                                                                                                                                                                                                                                                                    • Opcode ID: 2cef012c5a35af73f6a7b605341c481eda278753844223b8753572fb6871b2d8
                                                                                                                                                                                                                                                                    • Instruction ID: 2392a99f7da3ce675952e4d2a46cc979d0bc02f3ee2617fb1cd09cbf5e2aa949
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2cef012c5a35af73f6a7b605341c481eda278753844223b8753572fb6871b2d8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA51C231B006099FC715DF78D8505EEBBE6AFC6350F14816AE819DB364EA30ED52CB91
                                                                                                                                                                                                                                                                    Function 046A1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: a73e059db1a34b0416ebba2faf314d6169d1a070d5b94b1ace69d95be27cfa3c
                                                                                                                                                                                                                                                                    • Instruction ID: 95b774bdf8c27d14b82ae5b9547c233be69350956fc39e44d1ea47db18883e6a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a73e059db1a34b0416ebba2faf314d6169d1a070d5b94b1ace69d95be27cfa3c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B71C431B00618DFDB049FB9C9546AEB7A7AFC9300F148029E507AB3A4FE35ED528B51
                                                                                                                                                                                                                                                                    Function 046A0C1C Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (bq
                                                                                                                                                                                                                                                                    • API String ID: 0-149360118
                                                                                                                                                                                                                                                                    • Opcode ID: 8988b2a56a23e048d37f70e4d118063fd7bb93a5a7b7d57363ba2e76e2767afa
                                                                                                                                                                                                                                                                    • Instruction ID: bb764f80ae409e070b4d55c4593f9a316d79ee3027e9c3775e36482ff816ef08
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8988b2a56a23e048d37f70e4d118063fd7bb93a5a7b7d57363ba2e76e2767afa
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9851E430B04254AFD7049F68D4657AE7FB6EFCA314F14806AD506EB381EE35AC06CB91
                                                                                                                                                                                                                                                                    Function 046A50AF Relevance: .3, Instructions: 277COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8471aeb073edde296fdf7e35b2a8d586b031ebca11bd343d49456d5723cea25c
                                                                                                                                                                                                                                                                    • Instruction ID: 5448bac44ef5201a3f40bf0dec0fa19fc910f3ab1dc4acd00753240f5370643c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8471aeb073edde296fdf7e35b2a8d586b031ebca11bd343d49456d5723cea25c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3B13A70E00619EFDB10CFA9C88579DBBF1AF88318F148529D816A7354FB74A856CF81
                                                                                                                                                                                                                                                                    Function 046A599C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3f0bdce73c69806e186df22bc4b2d58ca52dbb662f364a7accef2b93a3bb47a7
                                                                                                                                                                                                                                                                    • Instruction ID: 0251a99e623a80733459470636a473bc89fec25fecf68b9685d3fff9e290bb93
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f0bdce73c69806e186df22bc4b2d58ca52dbb662f364a7accef2b93a3bb47a7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D1B15DB0E00619EFDB10CFA8D99179DBBF1BF48314F148529E81AA7354EB74A856CF81
                                                                                                                                                                                                                                                                    Function 046A2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 557d0cfb1a1f204f4e04eba616e92759b241d75d303cb8527997d934fcbd8a2b
                                                                                                                                                                                                                                                                    • Instruction ID: 572147b7ff6831a823e738f746cc2b20030551246d241978facd49eedaa18829
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 557d0cfb1a1f204f4e04eba616e92759b241d75d303cb8527997d934fcbd8a2b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70412B75B005049FCB14DF69D88099EBBB2FF89714B108169E906EB360EB31EC52CF90
                                                                                                                                                                                                                                                                    Function 046A1072 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: efe07c4b174d53e365783b189d5b872d8aeb2f2af4dd914ba89031dd98cdf6e9
                                                                                                                                                                                                                                                                    • Instruction ID: 0931a8f0896de268ae4450cc18c5b42cb0ba67db7b675c38f20c5c230dac9eab
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: efe07c4b174d53e365783b189d5b872d8aeb2f2af4dd914ba89031dd98cdf6e9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59110A32B0021497DB10DE6599546EEBBEADFC9240F04807AD907D7345FE74EE178B91
                                                                                                                                                                                                                                                                    Function 046A2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 23caccca532115f48d843cc422934f050e8447918fdcf1da3762442ec6c20ec1
                                                                                                                                                                                                                                                                    • Instruction ID: d24e2395b421683f6dcef4e96b15e5fef13631420e57b0f172e1ca225e0ab95e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23caccca532115f48d843cc422934f050e8447918fdcf1da3762442ec6c20ec1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C11A035B405188F8B54BBBC54201AE7BE2AFC465971045BDD40AD7384FF34EE168BD6
                                                                                                                                                                                                                                                                    Function 046A2258 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: fbd23c277900639e56d5c084bf3b0c90a37a73ac8102aceddf1207356ec57663
                                                                                                                                                                                                                                                                    • Instruction ID: 8a2021654e53c5542311e2dd0ac02652dd9d0d4a7fd2d3aef038eebc831e6fbe
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbd23c277900639e56d5c084bf3b0c90a37a73ac8102aceddf1207356ec57663
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D212175E111149FCB54DF69D48099EBBF1FF4D714B10816AE805EB360EB319842CF91
                                                                                                                                                                                                                                                                    Function 046A1958 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c68ee96237083459ccdd6ca54a9a97dde55caeb97298b46dee553ceafb01adc2
                                                                                                                                                                                                                                                                    • Instruction ID: 687a185579967f946f5373d64514ac23b9a6d28fc8e279ad32fd3645b638a9f2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c68ee96237083459ccdd6ca54a9a97dde55caeb97298b46dee553ceafb01adc2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF119330600255FFC704DF64E85AAA9BBB6EF8C310F145059E80AE7391EF79AD46CB90
                                                                                                                                                                                                                                                                    Function 046A1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 53d9e0fa56138d82489b55ebb3504364a3c42e478ec24d6c994ecda004729287
                                                                                                                                                                                                                                                                    • Instruction ID: c31329f382e5ebb4b51dcf81aa2d5663de4e8321fcd638373e5fa74ea386155f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 53d9e0fa56138d82489b55ebb3504364a3c42e478ec24d6c994ecda004729287
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 382104B0D002498EDB10DFAAC480BEEFBB0FF59314F10842ED459A7240C7356945CFA5
                                                                                                                                                                                                                                                                    Function 046A1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bc3a521984d081014af374f2a3b540d194172fda9217b5eaf51b2edeebfc5fef
                                                                                                                                                                                                                                                                    • Instruction ID: 263c09146c98bd5c7d9787101b5bcd8915664259c0b67b680c13194e05d09a99
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bc3a521984d081014af374f2a3b540d194172fda9217b5eaf51b2edeebfc5fef
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F111E0B19042498BDB10DFAAC481AEEFBF4FF89324F10842AD459A7250CB74A945CFA5
                                                                                                                                                                                                                                                                    Function 046A1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4c26481f27e6ac12383e0829ad51681faaeb196d00fff485fbcb4ac9e4492cc8
                                                                                                                                                                                                                                                                    • Instruction ID: c42533cb14998df27215038beb2afae217bc79725b53472c8e90569779dfbf14
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4c26481f27e6ac12383e0829ad51681faaeb196d00fff485fbcb4ac9e4492cc8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 97114F31600255FFCB04DF64E45AAA97BB6EF8C310F145059E90AE7391EF79AC45CB90
                                                                                                                                                                                                                                                                    Function 046A1440 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d68e30e47284a14057806f0b68f4eccca32714cc83e4794c2aae52485c767662
                                                                                                                                                                                                                                                                    • Instruction ID: fffd569bdd83b112675ff4ffbf0ceaa0dcbdf49c7fbcfe1ed0af9b5384976e64
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d68e30e47284a14057806f0b68f4eccca32714cc83e4794c2aae52485c767662
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C01B5306093856FCB099F3869361567FA9DF8350470518FAC54ACF253F915DC1A87D2
                                                                                                                                                                                                                                                                    Function 046A2B08 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3580159d3adb54f2b30eaa4f06aec9f33e2bb097ba4dfb68ca56a1d09e99eddf
                                                                                                                                                                                                                                                                    • Instruction ID: 211694b9bdeb6bc51d1ec265a32dc759a3b2345417ae6481b61171947f82250f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3580159d3adb54f2b30eaa4f06aec9f33e2bb097ba4dfb68ca56a1d09e99eddf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5701D234B006158F8B54EB78902516EBBE6AFC5609B1008BDC40ADB340FF35DE168FD6
                                                                                                                                                                                                                                                                    Function 00A7D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000002.1866478804.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_a7d000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8c7c982d16d299e148ede64265379786fbb02b5fbeba261dbed96efe616b109e
                                                                                                                                                                                                                                                                    • Instruction ID: 5980cf751845d2550107ebc6a7d9b3ebd5fdb223140fca0fcc9e4d69a710f475
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c7c982d16d299e148ede64265379786fbb02b5fbeba261dbed96efe616b109e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B01D671508344AAE7108B29CD84B67BFB8EF51324F18C52AED4E5B286C279DC43C6B1
                                                                                                                                                                                                                                                                    Function 046A182A Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 695d02c9aeeed405362084e4c8030c8f6ab78f19dcfcc28c7291e5bd97042a18
                                                                                                                                                                                                                                                                    • Instruction ID: ad6dbda6ae52b7026e22a654d42151e42cdac039250bfceebea7e30536f2db54
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 695d02c9aeeed405362084e4c8030c8f6ab78f19dcfcc28c7291e5bd97042a18
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF01FD32A0050597EB18AE68C1557EF7AF6ABC9308F20402DD002FB391EE766D169FD2
                                                                                                                                                                                                                                                                    Function 046A2A68 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 55c3fa881473b07986ffc1e3cd3b9d6716954e7f17d6facc91a10dcd944325ba
                                                                                                                                                                                                                                                                    • Instruction ID: 1b834b6c60ca053b06b900a84d537afff226bd57196ce9c7aa6c81863e17894a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 55c3fa881473b07986ffc1e3cd3b9d6716954e7f17d6facc91a10dcd944325ba
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58019A35A00201CFC704EF74D505AAE7BF1BB89705B2000BAD90ADB360EB34AD02CB81
                                                                                                                                                                                                                                                                    Function 046A2997 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d1dee6ff7d11c951fa87c3fe26ab97945c1cbfc4c6dc9cef393f0bf533120c0a
                                                                                                                                                                                                                                                                    • Instruction ID: 4f56f6dbbb7f5b06f418053ffa133d4a9d515a9af6676918b8c273e1898c9c6a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1dee6ff7d11c951fa87c3fe26ab97945c1cbfc4c6dc9cef393f0bf533120c0a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DFF0D1312402008FDB18ABA0EA11A597B55EB82210B00947EE5069F2A1EF25E8858B90
                                                                                                                                                                                                                                                                    Function 046A2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e76ac8d22411689e07fa7977ca70411b07eae9b013e55c3446db94b68300d71b
                                                                                                                                                                                                                                                                    • Instruction ID: 4ad350b12b7f71acd5209d6e5c7f8b6b64bd0a4cdf03638ccbd300e6a2a57edd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e76ac8d22411689e07fa7977ca70411b07eae9b013e55c3446db94b68300d71b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 19016939B002158FC704EF78D5156AE3BF1BB89615B1000AAE90ADB360EB35AD42CB81
                                                                                                                                                                                                                                                                    Function 00A7D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000002.1866478804.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_2_a7d000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3d5ef0ac3554c8502bdb96e4e70c82db46e6636e4a9e99f1c2a3887b138f2522
                                                                                                                                                                                                                                                                    • Instruction ID: e06ec0759dc0f0cb265cde0ef27582e949a25d01912ab230f5f3c9e0fae9e2e3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d5ef0ac3554c8502bdb96e4e70c82db46e6636e4a9e99f1c2a3887b138f2522
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF0C271008344AEE7108B16CC84BA2FFA8EF51334F18C55AED4C1E286C2799C42CAB0
                                                                                                                                                                                                                                                                    Function 046A29A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2ab1cb6d1b1566de07aa2cbe9cdb52be0e1cafbab93b5b8381396ddfee788f24
                                                                                                                                                                                                                                                                    • Instruction ID: 99cab62b0f64cccc717c83a9bb7413180eaa38fa1d8e0d7f46b735b84dcad4c4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ab1cb6d1b1566de07aa2cbe9cdb52be0e1cafbab93b5b8381396ddfee788f24
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ABF090313102008FDB08ABB4DA1565A3B56EB81314B009479E906AB365FF65FC859BE4
                                                                                                                                                                                                                                                                    Function 046A1431 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 33729cd95e0323eb93ca8f5ebe45a72cf63007a5ba8e018850d9a46bb6e06d73
                                                                                                                                                                                                                                                                    • Instruction ID: cfb4f95ea4a87f7f7f3f68a167a78865d0682a94ab2d7e88e009662a5636d80a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33729cd95e0323eb93ca8f5ebe45a72cf63007a5ba8e018850d9a46bb6e06d73
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F0F06270A04385AFCB0D9F78A5662167F9AEFC260470518BEC54ACF252F925DD06CBC2
                                                                                                                                                                                                                                                                    Function 046A2A20 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 88cf50b664bb6b25b078067d461184cf53ea2e1fd605703372014b7a43c203aa
                                                                                                                                                                                                                                                                    • Instruction ID: 10006f648c6d1415243e80c2fdf5b3737d94096aceba2be6f6a93a7adb92f6c8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 88cf50b664bb6b25b078067d461184cf53ea2e1fd605703372014b7a43c203aa
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F2E0DF30361921CFCB280EE6B11566D3798AB82611B2261AAE406EA391FB18DE524B84
                                                                                                                                                                                                                                                                    Function 046A2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9203d097c7523ce17ed9c8f82e7b11e039b5939572555c3f89544dbf124d04f6
                                                                                                                                                                                                                                                                    • Instruction ID: 8f050754440f810061728f26c87d9e087a301c876f5bde3d642c75795cf3dc78
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9203d097c7523ce17ed9c8f82e7b11e039b5939572555c3f89544dbf124d04f6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0FD02B30351924C7DB141DF664242BE358CEF82651B012169F50AE2380FF1CDD424BC4
                                                                                                                                                                                                                                                                    Function 046A5EB0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1c807222fdffd212358131c44eac5c92f9bd7e7dcf17a6245a955eb77c73cde4
                                                                                                                                                                                                                                                                    • Instruction ID: 450e3ebf25922745dfd7d0761c7442c136bad74c40b8fd21fd1a1069ce6350f7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c807222fdffd212358131c44eac5c92f9bd7e7dcf17a6245a955eb77c73cde4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6ED05B312405155FD304DB58E150A9477A9DB4A729F22409AE109CF362CA96DC0347C4
                                                                                                                                                                                                                                                                    Function 046A0C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4715c4c3f050b7e5bf31a58570aacf561822b5527ccf1bc899de5357d57b9528
                                                                                                                                                                                                                                                                    • Instruction ID: 506d9cac4bf8528410cc8cde90b34b10cbdad6e81426537a57d5d28929b468ae
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4715c4c3f050b7e5bf31a58570aacf561822b5527ccf1bc899de5357d57b9528
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66D0A931350620ABD704A76CE45097A7799EB8A728B0008AAF20FCB320DE92FC010AC9
                                                                                                                                                                                                                                                                    Function 046A2959 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b0de5e7c8c51027368c1621d57a006dd16f08cd0d7cd717081b6fdc27bdd6601
                                                                                                                                                                                                                                                                    • Instruction ID: 0519131884002a4c0686ab9b43393fc7511b32f97e82272676d211ad67ead7f6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0de5e7c8c51027368c1621d57a006dd16f08cd0d7cd717081b6fdc27bdd6601
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B3E08670441205DFCB08DF64E64291DFFF8EB86204F2195ABD404DB260EF319E00CB80
                                                                                                                                                                                                                                                                    Function 046A0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d9bca3f737d390541e2c39e9a381d8a6b021d369e79d7a2ea45ba55634b65f24
                                                                                                                                                                                                                                                                    • Instruction ID: 64f0fe55dd77cc3d01631cd7629609e28da3b7cba21bb6c255bcb03c38324fa6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9bca3f737d390541e2c39e9a381d8a6b021d369e79d7a2ea45ba55634b65f24
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89D0A7363114186B57046A18D89686ABB99E7852617504437F90383224ED70BC518799
                                                                                                                                                                                                                                                                    Function 046A17F0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6db7ca69498242b3fc3956202b4a039531f74e7fc2759e0f876b56bb7a67de7c
                                                                                                                                                                                                                                                                    • Instruction ID: 28dd530cac2a148192e9c2de1b91059d0d922ec070df3fcac2555cb794947eb4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6db7ca69498242b3fc3956202b4a039531f74e7fc2759e0f876b56bb7a67de7c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DD05B32620518AFC314AF45E087E557FA9E755121B05406BE8068B270DE755E51C7D4
                                                                                                                                                                                                                                                                    Function 046A2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 98a42a8acc6ef6296dbdda8974bb86c272c0b40f37a242b15a8686c2dbcadc23
                                                                                                                                                                                                                                                                    • Instruction ID: 0663218660445b068a98b994a215746da6d1714af6744eed33a20eb1a6e765d9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 98a42a8acc6ef6296dbdda8974bb86c272c0b40f37a242b15a8686c2dbcadc23
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76D05E70901209DFCB04DFB5EA4195DBFF9EB44208B2086A6D808D3220EB316E04CBC0
                                                                                                                                                                                                                                                                    Function 046A0440 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000005.00000003.1866061196.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_5_3_46a0000_rundll32.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 48b7c3e0ebe8ba24b3993b93c3e4671819d99b743b909c4ad9380607ad975ed3
                                                                                                                                                                                                                                                                    • Instruction ID: 476da1f08eb31e7311b25d304341d80b3a3f60e3f764a1bb7bd13feca850d7fe
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 48b7c3e0ebe8ba24b3993b93c3e4671819d99b743b909c4ad9380607ad975ed3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1D012714197819FC3174E544552450BF64EA7320434981ABC0428A167E1269957C621

                                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                                    Function 00007FFD9B28C922 Relevance: .5, Instructions: 458COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 29970ff6feaf00ce99864e241382f7a9b19b0372213151cb27972706683cd840
                                                                                                                                                                                                                                                                    • Instruction ID: 5493bd522b802cfa1b85f7b0f6a48272668c58b2c1464b91adeed3a70604aa80
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29970ff6feaf00ce99864e241382f7a9b19b0372213151cb27972706683cd840
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4EE1B330A09E8D8FEBA8DF28D8657E977D1FF54310F04826ED84DC72A5DB78A9448781
                                                                                                                                                                                                                                                                    Function 00007FFD9B28172D Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b0b18ee37fe37234994068b188d8dd077883b918a99264eb7766c4f3f2186351
                                                                                                                                                                                                                                                                    • Instruction ID: 71f22b1faeba7487414597dd82e3efe4dabd668e59a7fade70339419936713b4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0b18ee37fe37234994068b188d8dd077883b918a99264eb7766c4f3f2186351
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 08313770E1992D8FEBA9DF58C4A57ECB3A1FF49301F5145A9C01E932D5CA38AA81CF44
                                                                                                                                                                                                                                                                    Function 00007FFD9B281A2D Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 65f8c4713a6aae6508f1ea56588c31edc323e73368967d898d194a5a860c8dc6
                                                                                                                                                                                                                                                                    • Instruction ID: e963e020211a30e927bc4fc30ffeace5785ad708efa106c48569602d54d4f3c1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 65f8c4713a6aae6508f1ea56588c31edc323e73368967d898d194a5a860c8dc6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C011230E4E55E8BD3659EA080753FDF2B5EF0B701F5128B9D049672E2CA399680DB48
                                                                                                                                                                                                                                                                    Function 00007FFD9B281FAC Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a6a09597fce679a4c1053b43560e003bc7cf85ba8c5c0046b7a8a6672aa863a1
                                                                                                                                                                                                                                                                    • Instruction ID: 41ea8ef5c22e2ab95cc7d36b91afbe393d0172beff818f8066b7062e650ba3c5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a6a09597fce679a4c1053b43560e003bc7cf85ba8c5c0046b7a8a6672aa863a1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A014C31D05A2D8BEBA59F68C8A57FD72A0EF15A01F4540B9D01DA22A2DE382FC58B00
                                                                                                                                                                                                                                                                    Function 00007FFD9B28596E Relevance: 1.6, Strings: 1, Instructions: 384COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: K_^
                                                                                                                                                                                                                                                                    • API String ID: 0-3865075263
                                                                                                                                                                                                                                                                    • Opcode ID: e9ecde86917779c2949e3382cfd3ab4b4f6db0cb88be1188d8c312c9884d4194
                                                                                                                                                                                                                                                                    • Instruction ID: 33b2b7ee03386b605e654d4671303b326425e4efcad80026edd353b5ed7d7718
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9ecde86917779c2949e3382cfd3ab4b4f6db0cb88be1188d8c312c9884d4194
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3C14222A0FA9A4FE325677C68B54FC7BA0EF52234B4506FBD48DCB0E7D92855498381
                                                                                                                                                                                                                                                                    Function 00007FFD9B370853 Relevance: .9, Instructions: 946COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926381437.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8ddbdfa6e9ac35de17b8f5532ea799e36f5dd7774d59674eb672a1939cbddf43
                                                                                                                                                                                                                                                                    • Instruction ID: bc93b8d37503b2f7363812b5f4ec4c6f0feee2958fb651f2b7c9ca11a4e5c5ca
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ddbdfa6e9ac35de17b8f5532ea799e36f5dd7774d59674eb672a1939cbddf43
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 26F12821B0EA495FDB69E76C98AA6747BD1EF56710B0501FED08EC72F7CD14AC428381
                                                                                                                                                                                                                                                                    Function 00007FFD9B280E53 Relevance: .6, Instructions: 565COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 35367adc67c0d5f4eb4266ca2e8406b4159815379a4ed34acc1840d671e25126
                                                                                                                                                                                                                                                                    • Instruction ID: 2e88f93357c92be7da2bf22c11d3038a78f04152cf9b2c7e0bffda36127db223
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 35367adc67c0d5f4eb4266ca2e8406b4159815379a4ed34acc1840d671e25126
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E225C70A0991D8FDB99EB24C4A4BA8B7A2FF59305F5040FDD01ED72D9CE35AA81CB10
                                                                                                                                                                                                                                                                    Function 00007FFD9B28B679 Relevance: .4, Instructions: 412COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0bc6f0b19594c26cb3cfe5e57c2a387e396cfe16cc2647649a36b2804e45a7a5
                                                                                                                                                                                                                                                                    • Instruction ID: 5b2fab2423e62d0f915eef1db1e4539dedabc57ffd1f6c8171a4e89ab17b2c7a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0bc6f0b19594c26cb3cfe5e57c2a387e396cfe16cc2647649a36b2804e45a7a5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17D1D730A18A8D8FEBA8DF28D8557E977D1FF59300F04426EE84DC7295CB74A9458B82
                                                                                                                                                                                                                                                                    Function 00007FFD9B28D7BE Relevance: .3, Instructions: 318COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 32d6b9ad6d779d5c996da597d2c3e6aebe1e84977750b4534ec3537173f12f11
                                                                                                                                                                                                                                                                    • Instruction ID: 530031691f4dc8b544479dda75ffe231d7272e98e72fcef04e8130516a3a1c3a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 32d6b9ad6d779d5c996da597d2c3e6aebe1e84977750b4534ec3537173f12f11
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8AB1B670A08A5D8FDF94EF58C894BACBBF1FF69300F1141AAD00DE7261DA34A985CB41
                                                                                                                                                                                                                                                                    Function 00007FFD9B286772 Relevance: .3, Instructions: 295COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e2e61229182dd1f780cb09b992ed9129991e541652bb9e635f4d921148efdef2
                                                                                                                                                                                                                                                                    • Instruction ID: b1f220b427dc0de8979b5e2ed53ba6260bf5fa40c0601280947e591abf111282
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2e61229182dd1f780cb09b992ed9129991e541652bb9e635f4d921148efdef2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00A13E20A0FECE4FE7A6DBA848656A93BD0EF16210F0505FDD45DC71E3DD28A90A8380
                                                                                                                                                                                                                                                                    Function 00007FFD9B287A45 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2f390b2525338921c1ac6411de6af1bae25ff593ca8726375db684796c441e15
                                                                                                                                                                                                                                                                    • Instruction ID: b28b5a881bf95017a831b5c95746b40ecde0d122ac68aa47f99a6d0f4b7eed6b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f390b2525338921c1ac6411de6af1bae25ff593ca8726375db684796c441e15
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5091D57190EA8D8FDB51DBA488656EDBFF1EF4A310F0501FAD488D72B2CA386585C741
                                                                                                                                                                                                                                                                    Function 00007FFD9B281AC1 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2167d895da2b7eca532848c86e449f348677b15dc35cef77a27644e95c4b32d3
                                                                                                                                                                                                                                                                    • Instruction ID: 80f7574635eb938198f2ad432da3f6fb7239d0f4c806102829327694e51901dc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2167d895da2b7eca532848c86e449f348677b15dc35cef77a27644e95c4b32d3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5FA15E71D0A66D8FD765DB6888A57EDBBF1EF49301F0440F9D049A72E2CA782E85DB00
                                                                                                                                                                                                                                                                    Function 00007FFD9B3700F4 Relevance: .2, Instructions: 239COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926381437.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1085b59af9694a4c732aaa5362a65756c23a574566925bd90edea614209a1ba1
                                                                                                                                                                                                                                                                    • Instruction ID: e2b0afdde6758ed813f299cfa0c8b3da43d0ec78786b2a0c4968f4232aeb2187
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1085b59af9694a4c732aaa5362a65756c23a574566925bd90edea614209a1ba1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2661E77171DB4C4FDB59EB1C98A593477E1FF99B10B0502AEE48AC72A7CE24EC028741
                                                                                                                                                                                                                                                                    Function 00007FFD9B28347E Relevance: .2, Instructions: 197COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 63a440b4f8e329c318c04dc325b81cad9a8e58ed88c9dcd3068591102c3da6cc
                                                                                                                                                                                                                                                                    • Instruction ID: 5d31fdf04670c4c07012a9f823d4116f9541a864ab04c4de4bd81ee57a72c743
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63a440b4f8e329c318c04dc325b81cad9a8e58ed88c9dcd3068591102c3da6cc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76619470E0EA5D8FDBA4DB98C4647ADB7B1FF19300F6141BAD00DE7291DA396A85CB04
                                                                                                                                                                                                                                                                    Function 00007FFD9B28946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 50c87532208d49bfe8555e00377690387ded12d70e2ae9352172a2b6e4ac0e39
                                                                                                                                                                                                                                                                    • Instruction ID: 84a51feeb5b5dd2536b9439d7c02657ad9339bc3419cb7c4c792e5ffc5c48ab5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 50c87532208d49bfe8555e00377690387ded12d70e2ae9352172a2b6e4ac0e39
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3518431918A1C8FDB68DF58D855BE9BBF1FF59310F0082AAD44DD3296CE34A9858F81
                                                                                                                                                                                                                                                                    Function 00007FFD9B28E641 Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: db0d4b9a01b27c34d17820c249716c9233724fb49ed294951feccce2851d7090
                                                                                                                                                                                                                                                                    • Instruction ID: 4e4f8b737dbb5563b1c20e131a8884cd82c167cd067d6395dbc51e4da89272f7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: db0d4b9a01b27c34d17820c249716c9233724fb49ed294951feccce2851d7090
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71514D34A0995D8FDB98EFA8C4A5AFDB7B1FF59300F1104A9D00EE72A1CB34A941CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B28D080 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4aee07b6cb4195f3eac1545bb1a8c935df23e2a3e0d45de6be497ae3764c82ea
                                                                                                                                                                                                                                                                    • Instruction ID: 6aa5fdee885763bb90c4e388ed7d6aae2c19c7fd2d71189f6f09be2748510583
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4aee07b6cb4195f3eac1545bb1a8c935df23e2a3e0d45de6be497ae3764c82ea
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5151F77190EACD4FD756DBB488696FDBFE1EF06350F0400AED488DB2A2CA386949C741
                                                                                                                                                                                                                                                                    Function 00007FFD9B288570 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9bac09da9296e648f9bb6b3601dcaf6b6d21afab2d0db2a23880592d9a7484fb
                                                                                                                                                                                                                                                                    • Instruction ID: 0456dfa8baa6e2c4a15ba766073eaf5715f17d68dd2de7ec05b14fe0f0421729
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9bac09da9296e648f9bb6b3601dcaf6b6d21afab2d0db2a23880592d9a7484fb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4515F70A1991D8FDBA8EB58D498BEDB7B1EB58301F5040AAD01DE7291DB74AAC4CF40
                                                                                                                                                                                                                                                                    Function 00007FFD9B2863FB Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c89493b382ad6d17689041b047b3e9557db44a5213026f732e9d807e635ba05f
                                                                                                                                                                                                                                                                    • Instruction ID: 27b3ccb6ba0c1685950122e78fecbd484b80e245203046b573090cb88b15ee21
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c89493b382ad6d17689041b047b3e9557db44a5213026f732e9d807e635ba05f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E41F67171EE8E4FD7A1EF68D8615ED3BA0FF56214B150176D45DC31A2CA34A902C340
                                                                                                                                                                                                                                                                    Function 00007FFD9B37050C Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926381437.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 51616a3310af1c5afce553f7f74c07bfea5e82bef9b33567e43565f5bfe2afbb
                                                                                                                                                                                                                                                                    • Instruction ID: 28018775ac4cf6855eab9f9255925fe7578525934ec90fdcd18cca4a2d6d557c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51616a3310af1c5afce553f7f74c07bfea5e82bef9b33567e43565f5bfe2afbb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A31E76170EAC95FEB92E77C48EA5643BE1EF5661071900FFD089C72B7DD18AC068341
                                                                                                                                                                                                                                                                    Function 00007FFD9B288372 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6b2d74dc01146f8b3cbcf692c09e10ec7d1d4a1de9d41b86bbd3ea7ce3984611
                                                                                                                                                                                                                                                                    • Instruction ID: 2a836950ac73b24251bdef222ff7b486eab1f4c9adfee7b0469b8ae70abdc831
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b2d74dc01146f8b3cbcf692c09e10ec7d1d4a1de9d41b86bbd3ea7ce3984611
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2441EA71A09A5D8FDB94DBA8D4A4BADBBF1FF59301F4040A9D04DD7261CB39A981CB00
                                                                                                                                                                                                                                                                    Function 00007FFD9B287DC1 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 96eef712c49e9806aef1c60cc15b8cb16708dcc6bd4a1efe90aad62da08cde96
                                                                                                                                                                                                                                                                    • Instruction ID: 7aebd7dd4f4071be7e6f682e6c90cb0f524fbad4f23e2835b255fabb3fc3b066
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96eef712c49e9806aef1c60cc15b8cb16708dcc6bd4a1efe90aad62da08cde96
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5731A170E1AA4C9FDB90EBA8C8556EDBBF1FF59310F0001BAD448D72A2DB346945CB41
                                                                                                                                                                                                                                                                    Function 00007FFD9B281979 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 709d0a5c1d9bc88e71a7f6f98eafd174ebe209deeb97f97498551df2d62642cc
                                                                                                                                                                                                                                                                    • Instruction ID: 79d8a3f75c19cee687de066ac17f91deec2b7b96ae805bd82ae94e4a32a8131c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 709d0a5c1d9bc88e71a7f6f98eafd174ebe209deeb97f97498551df2d62642cc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4313030E4A65E8FD7699EA0C4A53FDB6B1EF06301F4014BDD04A672E1CA395B84DF04
                                                                                                                                                                                                                                                                    Function 00007FFD9B283368 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9d912ad4ced94867a795404ab8cff4e0cdb30f35e3dfa35a262e99a21d6bbb4a
                                                                                                                                                                                                                                                                    • Instruction ID: 0c3a78edd1408ddf662bba9db53d0a9591b8b94d74ca2976a4bcafc675c0ac16
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d912ad4ced94867a795404ab8cff4e0cdb30f35e3dfa35a262e99a21d6bbb4a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C931A130A0EA8D8FE7A5DB6888657A97BB1EF46350F0004FAD04DD72A6CE356D85CB41
                                                                                                                                                                                                                                                                    Function 00007FFD9B284EFA Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6d35bbb59e4ed62d3c1e54707d7348475c8733a342b4f17ba94cd39bb9cd880c
                                                                                                                                                                                                                                                                    • Instruction ID: 494992fbfdb5ba9f5caf613932b5d60a750f8674c16b92651aa29a4f89206a24
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d35bbb59e4ed62d3c1e54707d7348475c8733a342b4f17ba94cd39bb9cd880c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3210632A0EA9E4FD716EF6CA8A15DA7BA0FF45320B0502BBE458C71A7CD389905C351
                                                                                                                                                                                                                                                                    Function 00007FFD9B28E6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d51480d52894370f31024ccc47fc6c34aa207414188aa55136b06272d873d138
                                                                                                                                                                                                                                                                    • Instruction ID: 23428188114fa11c1fd41d97fa7cd539fd79360427b6fce1f06c46b6736cd153
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d51480d52894370f31024ccc47fc6c34aa207414188aa55136b06272d873d138
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 89213E30E09A5D8FDB59EF94D860AFEB7B1FF45300F05056AE009D72A1CB786950CB50
                                                                                                                                                                                                                                                                    Function 00007FFD9B281B2F Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ab0ebd47c50f9d5f12218352ef47957ebe5e1cab8f0d4cefb4fc0ae8d84c6d5f
                                                                                                                                                                                                                                                                    • Instruction ID: 5a84c830011ef3aeb27ca6a45940491042787ab23adfb9ce8fdce5b7d24f0eef
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab0ebd47c50f9d5f12218352ef47957ebe5e1cab8f0d4cefb4fc0ae8d84c6d5f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E231F930905A6C8FDBA9DB68C995BE9B7F1EF59301F1000E9D04DE72A2CA746E81CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B28D21B Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 70e08d81530e983e400fb3452a4c3b3b6ed71e64a62ae899aea7d8b0c3fffa59
                                                                                                                                                                                                                                                                    • Instruction ID: 029d06f697df565cbeeec6912ba88d40ba2ce2649ecdc9223c6a5c7f93b84998
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 70e08d81530e983e400fb3452a4c3b3b6ed71e64a62ae899aea7d8b0c3fffa59
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36213770E19A1D9FDBA4DBA494616FCB7B1FF59301F5004BDD009E72A6CB38A985CB00
                                                                                                                                                                                                                                                                    Function 00007FFD9B281E23 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f96bc17808b4a77a5e907841f419a8ebba6e02ea180b6997feb54916953b3474
                                                                                                                                                                                                                                                                    • Instruction ID: 5b46af697cdb504fbb27b7d43ab6ed39a5677740e39f8e2e8d2dc56e72c09a67
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f96bc17808b4a77a5e907841f419a8ebba6e02ea180b6997feb54916953b3474
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7531F9B0E0A62D8FEBA5DB6888557E9B7F0EF19700F4441E9D44CD3192DA786E85CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B2879C7 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 45f6bd42bbdb4b5d24e05786ceb8a72cb10794f9db649b6d103832bc45bad0e3
                                                                                                                                                                                                                                                                    • Instruction ID: b592464e0db054005fc8df0b2f4f2fd6a0a0be44fcdf6cb97b68180de835664f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 45f6bd42bbdb4b5d24e05786ceb8a72cb10794f9db649b6d103832bc45bad0e3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D118921E0B98C5FE750EBACAC654FDBFE0EF85210B8001BBE049D71A2C9243D478301
                                                                                                                                                                                                                                                                    Function 00007FFD9B2847EB Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 02c0fbb5356565942b2bfa28880119d48a41a703f2d1e820f528f1b3d2746b3a
                                                                                                                                                                                                                                                                    • Instruction ID: 180dd783ac70c741ce8cf58777e94bf3b6382bab3c03b7b410fee69887764535
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02c0fbb5356565942b2bfa28880119d48a41a703f2d1e820f528f1b3d2746b3a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3211A372E0FDCE4BE362DAA45C281BD7A90FF91200B5A04BED46C474A3D935AE048641
                                                                                                                                                                                                                                                                    Function 00007FFD9B28483D Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c785e61a3632432a9d9258a784c709624a772ebd4be44ea12922f6115c5c8f5a
                                                                                                                                                                                                                                                                    • Instruction ID: 3d22ab669ec5768750e3906858d99fc848810bc5a521d7ad4262d72fe2d0cc7c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c785e61a3632432a9d9258a784c709624a772ebd4be44ea12922f6115c5c8f5a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 31114C31A09ACE4FD724EF68A8A15FA3B60EF01204F0605BAE46C870E3DD385A45C340
                                                                                                                                                                                                                                                                    Function 00007FFD9B283B7D Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e1fbed418f93516776468a76202c8cf7d9a659cd84d5023268f5d024d6fd8baf
                                                                                                                                                                                                                                                                    • Instruction ID: ce50c14c5d5b662fc5a50d6b7351ea2f2a94a2657c6e81d98fbc76cf0cb484ae
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1fbed418f93516776468a76202c8cf7d9a659cd84d5023268f5d024d6fd8baf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B112572E0EA8C8FDB159FA4D4252FDBBB0EF06300F0101B6E149D71E2CB7866598B41
                                                                                                                                                                                                                                                                    Function 00007FFD9B281E9B Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7138f3a6fb2571e9af150988cedcca22cfa3fc5c3ce7d56617d3cce226a934c9
                                                                                                                                                                                                                                                                    • Instruction ID: aedf973740fe755a640a894c1234924573652df2ee404f66461b0bbe0b197499
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7138f3a6fb2571e9af150988cedcca22cfa3fc5c3ce7d56617d3cce226a934c9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C110A70E0AA2D8FEBB5DA5488593E9B7B1EF58701F0141E5D44C97291DA386EC58B80
                                                                                                                                                                                                                                                                    Function 00007FFD9B2884C0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c216557f84ec15528304e73f99b3ae682818fb5ef19984bac4ec3741052590dc
                                                                                                                                                                                                                                                                    • Instruction ID: 055931c041c09bb9b2ee0c5c8aa6f346442c85c432164af77a0d84d06bf02c48
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c216557f84ec15528304e73f99b3ae682818fb5ef19984bac4ec3741052590dc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57118334E1A91DCFDBA4DB98D494AFDB7B4EF59311F5110A9D00DE7251DB39AA80CB00
                                                                                                                                                                                                                                                                    Function 00007FFD9B281E7E Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3764901f444158783002a3571b99a0fce4bd303039c2abb18880c87429087334
                                                                                                                                                                                                                                                                    • Instruction ID: 9bb6c7efeef5d2b4582aa5ee46117498b2a5d5e6556394e264fed04fd526cf4e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3764901f444158783002a3571b99a0fce4bd303039c2abb18880c87429087334
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 510121B0A0AA5D5FEBB1DBB848556A9BBF0EF0D700F0505E5D44CD31A2CA346F868B40
                                                                                                                                                                                                                                                                    Function 00007FFD9B281EB6 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5b64e741a566cb4cef687b7e1a2f507cc28b60998f0ba17474a80e2b774dc7e8
                                                                                                                                                                                                                                                                    • Instruction ID: 175e59740d6ea55fd85bc568f90421f1f59c36efdf16f989a53b1a440d7b6f06
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b64e741a566cb4cef687b7e1a2f507cc28b60998f0ba17474a80e2b774dc7e8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA1163B0D09A2D8FEBA1EB688855BE9B7B0EF19700F4145E6944DE3251DA346F858F40
                                                                                                                                                                                                                                                                    Function 00007FFD9B280C89 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9dc66b791c0504256630e0f88fbb28032a0200b1e952fa4a82ab1186d2d49b79
                                                                                                                                                                                                                                                                    • Instruction ID: a98648217116ce3fa9df633caa4261f7a830d9cc940bab7627fec3020e29946d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9dc66b791c0504256630e0f88fbb28032a0200b1e952fa4a82ab1186d2d49b79
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4101F53150A68D4FD369AB3488256FA7B91EF41310F0104BFD409DB2E2CE352904CA45
                                                                                                                                                                                                                                                                    Function 00007FFD9B280C1D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7fffbdfacd562f9ea8a31b8b13644698c7d5f3e224a497110721e47e33b7a4cd
                                                                                                                                                                                                                                                                    • Instruction ID: 823d001820e214b33abe3f696270b85ed56d519bd276b77f4977f35bfb2101ad
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7fffbdfacd562f9ea8a31b8b13644698c7d5f3e224a497110721e47e33b7a4cd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8001D67160E6894FD31AAB7498353E97B91EF42310F0504FFC0559B2E3DE392944C745
                                                                                                                                                                                                                                                                    Function 00007FFD9B28188E Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6b8bcfb480405dedfe9f95f580b218d86916f3e56181aff2a11c9a8143d1bb9f
                                                                                                                                                                                                                                                                    • Instruction ID: b9175965f5ac5aa727b008856cdda8df42ebd67cf7eef4841b9910dce2c1eb7c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b8bcfb480405dedfe9f95f580b218d86916f3e56181aff2a11c9a8143d1bb9f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B601DB30A09A598FD769DBA4D4657ADB7B1FF49301F4004BDD00EA76A2CB355A84CF04
                                                                                                                                                                                                                                                                    Function 00007FFD9B2832BD Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1456ec1976a51cf969166f28813be32b869f6a2826fe240d2173ac2a688978dd
                                                                                                                                                                                                                                                                    • Instruction ID: a36f57412f44512b02b637752f0d291ecf923eebfec167b01fcf7b0bf7ad9436
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1456ec1976a51cf969166f28813be32b869f6a2826fe240d2173ac2a688978dd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66F05E71E0994D9FDB51EBE494693FDBBF1EF4A311F0041B6C459A31A2C6381A88CB80
                                                                                                                                                                                                                                                                    Function 00007FFD9B281CC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 67e86e5abbf112c2e0ccce28c312a002a8d825fee81c4356fed45b87a9ae453a
                                                                                                                                                                                                                                                                    • Instruction ID: fbb9c480df975f41bc13ba4cb3778f1bcb9adfa401b6ce524554b47d585f4119
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 67e86e5abbf112c2e0ccce28c312a002a8d825fee81c4356fed45b87a9ae453a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59F0AF30D1A69D5FD7219B7888226FCBBF0EF0AB00F4400F8D089970A3C9386A46DB46
                                                                                                                                                                                                                                                                    Function 00007FFD9B281C27 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 908ae1c5673f7e3b93ba0d710e14459a3d4a63b2972b5e9a41e62efd358fabcd
                                                                                                                                                                                                                                                                    • Instruction ID: 037e951c29ec6ac62c6c4bc983f68c69590bcb8542aaf2ec3968f07b94f2d46d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 908ae1c5673f7e3b93ba0d710e14459a3d4a63b2972b5e9a41e62efd358fabcd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04F01C7190A66C8FD7659B7488943EDBBF1AF46301F5480A9D04C671E2CA791AC9DB00
                                                                                                                                                                                                                                                                    Function 00007FFD9B281C77 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4b4506b9676f43e449a0735cea49b7e1e1585f2675fc9cadd125fdde6937655f
                                                                                                                                                                                                                                                                    • Instruction ID: df4d6065460f9d1b86b6d72d237ee223937af8106dbee4ac96343c8aade06b74
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4b4506b9676f43e449a0735cea49b7e1e1585f2675fc9cadd125fdde6937655f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BFF08531D0A26C8FE7619A7588147ECBBF0AF06300F8480A8D048672E2CA792B86CF00
                                                                                                                                                                                                                                                                    Function 00007FFD9B284A4B Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 69ae0951968110ca23b842ebb4c1a50673e86c15f53583833c927b6e2ca9c2bb
                                                                                                                                                                                                                                                                    • Instruction ID: 0a98fb13ab297495961cbbf4ffee8296cabf12b4066ed68a638b8173861f7dbc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69ae0951968110ca23b842ebb4c1a50673e86c15f53583833c927b6e2ca9c2bb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ADE09A30616A0D8FE794EF64D4A576977A2FF8A301F924478D41DC73A2CE3AA941C700
                                                                                                                                                                                                                                                                    Function 00007FFD9B281926 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e2feef346423ad565fb07690951e1f90c3edc77bda68483e5f3182dc367b148f
                                                                                                                                                                                                                                                                    • Instruction ID: ae0f5b36bc2a3ee3d129e5bd7b64a76d2e7f60f512ec6e57721e3b2ce7a49007
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2feef346423ad565fb07690951e1f90c3edc77bda68483e5f3182dc367b148f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9AE09230A0A6594FD3A6DB2484657A577A1EF49300F4000FDD40DC7392CE351AC18B04
                                                                                                                                                                                                                                                                    Function 00007FFD9B281DBF Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1e17802410976691c733a91bc1ddad4b72ecd401c3c129a2aac85db1aa5f4777
                                                                                                                                                                                                                                                                    • Instruction ID: c3258e1139ad13dcfa7fa3cb6ae70a37e012880c67b3f89c8f524911a2defb5d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e17802410976691c733a91bc1ddad4b72ecd401c3c129a2aac85db1aa5f4777
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8E04F7090A6598FD7219AA888642FDBBF2AF0A304F1510A4C448671A1C7796E42D704
                                                                                                                                                                                                                                                                    Function 00007FFD9B281F6A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 31db0ad85a39d3ae2bbcfdc86f30153a42d7352c31d5ca2219bbc6911b709327
                                                                                                                                                                                                                                                                    • Instruction ID: 3dfbb0a4cb4afb572a84813f3698027874144703eebd0b76d9a53defc12e3641
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 31db0ad85a39d3ae2bbcfdc86f30153a42d7352c31d5ca2219bbc6911b709327
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C9D022B150B58C2FC31257B408650EDBFF09F0B200B8400E8D0844B063C13ABE428300
                                                                                                                                                                                                                                                                    Function 00007FFD9B281F8D Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a4dd9f72e3900aed590efd02cd1b292eee02cf96c4d689fd72539534f9c866cf
                                                                                                                                                                                                                                                                    • Instruction ID: 0fedde9c617fcc5b354db902b576f671202a04d23bda4083ec3217f90eb1643e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4dd9f72e3900aed590efd02cd1b292eee02cf96c4d689fd72539534f9c866cf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AAD0127114B4C92ED74227B448656EA7FE08F07150F4D04D5D8844B0A3C06D29568305
                                                                                                                                                                                                                                                                    Function 00007FFD9B286E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000C.00000002.1926052089.00007FFD9B280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B280000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_12_2_7ffd9b280000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                    • Instruction ID: 23eec123d87b5a27088b0eaf366e16ec3cf2f8aa9ff9c5faa9fe0e709954074b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E5A00202BCB86E01D45520DD78560DCB244D785171BC62572ED1C9815A989E1AD61289

                                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                                    Function 00007FFD9B27CE90 Relevance: 4.5, Strings: 2, Instructions: 2009COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: uL_^$xH_H
                                                                                                                                                                                                                                                                    • API String ID: 0-1618075833
                                                                                                                                                                                                                                                                    • Opcode ID: 5998fb22e7dbfa6a80737677a464c8d3c849a4c1e66827ad268ba5535db0111a
                                                                                                                                                                                                                                                                    • Instruction ID: eccfd85b401ee525cd088a585830769a4be1d0bb99432d09d8df2af0ce763296
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5998fb22e7dbfa6a80737677a464c8d3c849a4c1e66827ad268ba5535db0111a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CD27631B0EA9E4FE7699B6C84646B83BE1EF97310F0541BAD099C71E7DD2CA9438740
                                                                                                                                                                                                                                                                    Function 00007FFD9B260C58 Relevance: 1.2, Instructions: 1231COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4a1ac5e52521d42e27a79bc420b9868fb46aa0e537e3680ad1a9afe37685ed51
                                                                                                                                                                                                                                                                    • Instruction ID: 84e002c2192419e7ea0b2dac6d1b2e04f5fe428c928f4a635cefc6fa60c04197
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a1ac5e52521d42e27a79bc420b9868fb46aa0e537e3680ad1a9afe37685ed51
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B2A26E70A0951D8FEBA9EF18C4A4BA9B3B1FF59305F5040FAD01ED7295CA35AA81CF50
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C9DD Relevance: .9, Instructions: 911COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 718dcbc5026ebae7094e30eec3d22d629666368003c16933df56f8f7bf1fc3ff
                                                                                                                                                                                                                                                                    • Instruction ID: 5feff0f96e392924ba455ae79fae03fe74376f205a22a22e5866e740a4ad5ae1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 718dcbc5026ebae7094e30eec3d22d629666368003c16933df56f8f7bf1fc3ff
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC528030A09A5D8FEFA8EF5CC4A4AA977E1FF69344F150279E44DD72A1CE24E841CB41
                                                                                                                                                                                                                                                                    Function 00007FFD9B279013 Relevance: .8, Instructions: 810COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 374308a1541baeacffd592a6aab29af1b88ee1f388ba4d52cbe4f5d8b8090953
                                                                                                                                                                                                                                                                    • Instruction ID: 55e12db62c7a1473d5d24bf214470a7271bc25741a0873dd130ca81efc284651
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 374308a1541baeacffd592a6aab29af1b88ee1f388ba4d52cbe4f5d8b8090953
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3522871A0E7CA5FD376876884AD6A53BE0EF96320F0605F9C48DCB1F3DA2879068745
                                                                                                                                                                                                                                                                    Function 00007FFD9B283890 Relevance: .6, Instructions: 635COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bc32a64fd75c731b11040524165c20365faf66e4b1e224a5613d7382d6b1656c
                                                                                                                                                                                                                                                                    • Instruction ID: e93ae7d9dc71766e9a339765d9c42ffdad4cbdfc3d0c672cb57dab79bddec932
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bc32a64fd75c731b11040524165c20365faf66e4b1e224a5613d7382d6b1656c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 87122821B0EB4A4FE779966488B12BD77E1EF55300F2641BBD09AC71E7DD3879428382
                                                                                                                                                                                                                                                                    Function 00007FFD9B264C41 Relevance: .4, Instructions: 396COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ac75a982867b1f4a6b253e677e94623595393a807ae4c3b899b36f5b6d462e60
                                                                                                                                                                                                                                                                    • Instruction ID: 29fea30c7a742990957d98ef2d2a0f79d620e02c4fe10944357619f0e0b5c809
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac75a982867b1f4a6b253e677e94623595393a807ae4c3b899b36f5b6d462e60
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 86D19130E0A65D8FE7A5EF6884A47A977F1EF49300F4101BAD05DD72E6CA796D82CB10
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C930 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6cb7cbab0d5e46e487bab6c3471e4fc38bf1aaa27cb575cd611290f6bd1c2f15
                                                                                                                                                                                                                                                                    • Instruction ID: d0add4c27231e54e231fe7003839d3437266a9a016b97fdf8351d7e9d1b1e911
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cb7cbab0d5e46e487bab6c3471e4fc38bf1aaa27cb575cd611290f6bd1c2f15
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7C1A371719A4D8FDF94EF6CC495AAA3BE1FF69350B05017AE40DD32A1DE24E941C780
                                                                                                                                                                                                                                                                    Function 00007FFD9B281C0E Relevance: .4, Instructions: 356COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 404c393b45590f640ace9d11d611c3c2b547d66f78a0f9d2b42fe9f32e1040ee
                                                                                                                                                                                                                                                                    • Instruction ID: 6972874850c2159ec623058acc382625fcf57dddff5d5694e0ab963ae74b7aac
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 404c393b45590f640ace9d11d611c3c2b547d66f78a0f9d2b42fe9f32e1040ee
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACD1863061DF898FD759DF28C050AA6BBE1FF69300F0586AED49E872A2DA34F545CB41
                                                                                                                                                                                                                                                                    Function 00007FFD9B27B72E Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 56290c93bd26a965d3a49f46011c28253e557c064740e597c425f0393268a8a0
                                                                                                                                                                                                                                                                    • Instruction ID: 75e9957242d9a5f3e7a7d7f20fa45dbc85b5da3aeb0cffe076904399da5f322b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56290c93bd26a965d3a49f46011c28253e557c064740e597c425f0393268a8a0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB913A71E0961E8FDB68DF94C8A5BACB7B1EF58300F1101B9D01DA72A2DA356A85CF44
                                                                                                                                                                                                                                                                    Function 00007FFD9B264E45 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4a4c76dfa864b0272bf2b6d8bc6bbe5df46e5b75f3d99b6b6b67cb1558ab9ea6
                                                                                                                                                                                                                                                                    • Instruction ID: 44d83c4d5ec3ec2bef4dac2a3a05816fe1383e173cafabebe38705d35f89c929
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a4c76dfa864b0272bf2b6d8bc6bbe5df46e5b75f3d99b6b6b67cb1558ab9ea6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F517030E0A65ECFE765DAA884A47B977F1EF49300F11017AD05DD72A6CB396A82CB10
                                                                                                                                                                                                                                                                    Function 00007FFD9B2706AA Relevance: 2.9, Strings: 2, Instructions: 426COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: H$d
                                                                                                                                                                                                                                                                    • API String ID: 0-989806989
                                                                                                                                                                                                                                                                    • Opcode ID: 46dad6580e6205a0c1c4fd9d1eab6d3bfff392913774b24c3d50086f46195b3c
                                                                                                                                                                                                                                                                    • Instruction ID: 703b6e523e028da97492ebfcab0de6dbd56fc33b412560b9e4bf7f5726e8d065
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 46dad6580e6205a0c1c4fd9d1eab6d3bfff392913774b24c3d50086f46195b3c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BFD16730B0EB4A4FEB68DB58C4A097677E0FF95700B1545BED08AC71A6DE38F8468785
                                                                                                                                                                                                                                                                    Function 00007FFD9B27D324 Relevance: 1.8, Strings: 1, Instructions: 576COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: dL_H
                                                                                                                                                                                                                                                                    • API String ID: 0-2846114773
                                                                                                                                                                                                                                                                    • Opcode ID: 0a4a60c483a0f81b08c29a05a04650e5f431016a96bac345a5722826c0a9924b
                                                                                                                                                                                                                                                                    • Instruction ID: e1d985d8c7a394f499638a1a834375768d88661ffe1c09b8b369c3c0610757d1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a4a60c483a0f81b08c29a05a04650e5f431016a96bac345a5722826c0a9924b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FF02E570B0DB498FD769DB28C4A4AB577E1FF99300F15426ED48EC72A6DE24B842C781
                                                                                                                                                                                                                                                                    Function 00007FFD9B2743F7 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                    • Opcode ID: d3f1dc4d6c45a8dd891e384d7dfa6a3b15d5775d7e1c17c2eb9752dda9bb4c3b
                                                                                                                                                                                                                                                                    • Instruction ID: 6407dc56be06978808028813bac1b69e58d8e2dc8b338386be1a228a358dc7ad
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3f1dc4d6c45a8dd891e384d7dfa6a3b15d5775d7e1c17c2eb9752dda9bb4c3b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 11E13430A1DB494FE768DB5888A4A79B7E1FF98300F1405BED09EC31A6DE34F9428781
                                                                                                                                                                                                                                                                    Function 00007FFD9B26E5B8 Relevance: 1.7, Strings: 1, Instructions: 401COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                    • Opcode ID: 8bac87d703683fd14e86d29321129251c3bbfd6ff282da918c9098cec3afa687
                                                                                                                                                                                                                                                                    • Instruction ID: 354757d443794154c5bda7c6d4b5d40da1df50be22306707292f6c5e7c8da9fd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8bac87d703683fd14e86d29321129251c3bbfd6ff282da918c9098cec3afa687
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 55C13430B1DB498FEB68DB48C4A1976B3E1FF98700B15467DD08AC32A6DA35F8438785
                                                                                                                                                                                                                                                                    Function 00007FFD9B273BA8 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                    • Opcode ID: 6c22dc8dedb2484cd02f7a7c2517c3f5a6f26fc01ec50b8ce452c50e0b27bc68
                                                                                                                                                                                                                                                                    • Instruction ID: 9de052f8bd02d0d00a4036eee0df9b3c5f615f02418e7abc160655f4c8672545
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c22dc8dedb2484cd02f7a7c2517c3f5a6f26fc01ec50b8ce452c50e0b27bc68
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78C11330B1CB498FD728DB58D895539B3E1FF99300B104ABDD09AC36A6DA35F8438B85
                                                                                                                                                                                                                                                                    Function 00007FFD9B273B28 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                    • Opcode ID: c4c837852dd5e67ecf158dc78e17868dadb691d9e280939e6e370b490fecca3b
                                                                                                                                                                                                                                                                    • Instruction ID: 8c56ca488a41d82eb980aeaa53186033601b85c587b4fea5360669cd3b46266a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c4c837852dd5e67ecf158dc78e17868dadb691d9e280939e6e370b490fecca3b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52B12430B18B4A8FD328EB4CD4919B9B3E0FF94314B1546BED49AC31A6DE35F8428785
                                                                                                                                                                                                                                                                    Function 00007FFD9B275B80 Relevance: 1.6, Strings: 1, Instructions: 300COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: L_H
                                                                                                                                                                                                                                                                    • API String ID: 0-402390507
                                                                                                                                                                                                                                                                    • Opcode ID: c54279a05f572cd72c0f4b7297fb075fff77e3bcf053845ffeba404198954df2
                                                                                                                                                                                                                                                                    • Instruction ID: 0736e3f94ac1fcc55c177d1abab50aaa88451d0740ded56d62579136497649e3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c54279a05f572cd72c0f4b7297fb075fff77e3bcf053845ffeba404198954df2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E71E162B0FD1E4FF7B5969C14BD274A2C1EFA8691B22017BE48DC72A5DE18BD064384
                                                                                                                                                                                                                                                                    Function 00007FFD9B26F2D2 Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: /X_H
                                                                                                                                                                                                                                                                    • API String ID: 0-4271806277
                                                                                                                                                                                                                                                                    • Opcode ID: 287c72ef8c8fe4c60d3b9dbbd80c8ddbc06d8306552a5d6839c65eadbb31d3f2
                                                                                                                                                                                                                                                                    • Instruction ID: 8ff58bda75a0278c85c2ac5851c60c4f85e1fd0d2e5264a48774a9ad62a91276
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 287c72ef8c8fe4c60d3b9dbbd80c8ddbc06d8306552a5d6839c65eadbb31d3f2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DA16271E1955D8FEBA8EB68D8A87AC77B1FF58300F0101BBD04DD71A6DE3469828B04
                                                                                                                                                                                                                                                                    Function 00007FFD9B27FA68 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (L_H
                                                                                                                                                                                                                                                                    • API String ID: 0-2019992656
                                                                                                                                                                                                                                                                    • Opcode ID: 41e1a3040a5e46c33297fd1e63020846cdac13bbbc26436b6eaa69699410693b
                                                                                                                                                                                                                                                                    • Instruction ID: b00047efcac5acb3b87b24e1ca7665ffa25f6d144c22bab66ba9426d4169484c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41e1a3040a5e46c33297fd1e63020846cdac13bbbc26436b6eaa69699410693b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A81C471B09A8D8FDB94EFACC4A56A977E1FF68300F05017AD409D72A9DE34AD42C740
                                                                                                                                                                                                                                                                    Function 00007FFD9B26D0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: ^M_^
                                                                                                                                                                                                                                                                    • API String ID: 0-3273950326
                                                                                                                                                                                                                                                                    • Opcode ID: 11e25217e21ff172112883106e76c1e86612e4a340c77bb096b4079c0a1aae93
                                                                                                                                                                                                                                                                    • Instruction ID: d6019d55b04706a21027dd2015435d5d9fa5ebbaf311d6274a0ca321c1c62388
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 11e25217e21ff172112883106e76c1e86612e4a340c77bb096b4079c0a1aae93
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F51D922B0D7968FD312BB7CA4755E83BA0DF4223570A42F7C489CE0E7EA1C2946C391
                                                                                                                                                                                                                                                                    Function 00007FFD9B284360 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: K_
                                                                                                                                                                                                                                                                    • API String ID: 0-2277854001
                                                                                                                                                                                                                                                                    • Opcode ID: 55cf349e3682f4e02f813058779edf761de663a9e7380b7605e62b2554b13ac9
                                                                                                                                                                                                                                                                    • Instruction ID: 86c377137490a99dd6853b3374778645864264d943a3276159740f8d1df34edd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 55cf349e3682f4e02f813058779edf761de663a9e7380b7605e62b2554b13ac9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 01413230B19E0A4FE768D63884A5AB973D2EF94304B15457DD4AEC32A6EE39F8428341
                                                                                                                                                                                                                                                                    Function 00007FFD9B26CDF3 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: vM_^
                                                                                                                                                                                                                                                                    • API String ID: 0-2795635623
                                                                                                                                                                                                                                                                    • Opcode ID: 4f11def4c34eb022dd6bf73d613ec13a36cb65d83718f1f86df9e79c3c8ab812
                                                                                                                                                                                                                                                                    • Instruction ID: 9565b8654e7021bde3a7f30fac4fdcb663304a29e84e69dd715f425b89b4ba97
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f11def4c34eb022dd6bf73d613ec13a36cb65d83718f1f86df9e79c3c8ab812
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43413E31B1DA4D8FD768EB5CA8695B837E1EF99310B0501BFE04DC72A3DE155C028780
                                                                                                                                                                                                                                                                    Function 00007FFD9B26A0F3 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: H
                                                                                                                                                                                                                                                                    • API String ID: 0-2852464175
                                                                                                                                                                                                                                                                    • Opcode ID: 6d79ae1a7759dc5992836e403b1c1b7a0f59f65d100a108d792ce8ae13be838d
                                                                                                                                                                                                                                                                    • Instruction ID: 7c3f45c4a5e3f053eca8084b74227f0cae35fa0383ec70a052045336f6b06492
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d79ae1a7759dc5992836e403b1c1b7a0f59f65d100a108d792ce8ae13be838d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E312A31B0A91D8FEB94EF6C98A8AB937E1EF99351B0500B7E41DC72A7DE259C418740
                                                                                                                                                                                                                                                                    Function 00007FFD9B26CFF7 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: tM_^
                                                                                                                                                                                                                                                                    • API String ID: 0-212585260
                                                                                                                                                                                                                                                                    • Opcode ID: 7097a84410078cd2e2fe3729fed58f2a1e7e5bd7b9819d7b467c8c8b78d2cec8
                                                                                                                                                                                                                                                                    • Instruction ID: 826a736fae7ff432989d234e494d567b605d727a4210f805a4d823c18453aa69
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7097a84410078cd2e2fe3729fed58f2a1e7e5bd7b9819d7b467c8c8b78d2cec8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46310E23E0915E8FD721BB6CF8A55F93790DF413247060277D859CA1BBEF2466468681
                                                                                                                                                                                                                                                                    Function 00007FFD9B26A11A Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: H
                                                                                                                                                                                                                                                                    • API String ID: 0-2852464175
                                                                                                                                                                                                                                                                    • Opcode ID: cd3dd60386990467422948f6421a74acb3259be64826c4ce89b8b4196fe8f7fb
                                                                                                                                                                                                                                                                    • Instruction ID: dfd777252a1fe6d45c4daa7c5e57c7c67ce3df7ab25cc48132003fc25152e452
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd3dd60386990467422948f6421a74acb3259be64826c4ce89b8b4196fe8f7fb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1F0A031A14A8DDFEB48EFA884A84E97BB1EF48200F4000B6EC1DD6165EE346691CB00
                                                                                                                                                                                                                                                                    Function 00007FFD9B26CFC8 Relevance: .7, Instructions: 686COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 200575d69dc3a931c0cc718b4fa27fab51ffbe386beff6db24649fa8b6997c8e
                                                                                                                                                                                                                                                                    • Instruction ID: 9e9f3f2c3b7ebc915685bcd01ddcc759bc85f52dcc8d4919b8a336f87f1caa96
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 200575d69dc3a931c0cc718b4fa27fab51ffbe386beff6db24649fa8b6997c8e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B220230B1D74E8FE768DB5C84A153A73E1EF9A710F15457DE08AC32A2DE28F8428646
                                                                                                                                                                                                                                                                    Function 00007FFD9B280EC1 Relevance: .6, Instructions: 574COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 18907856382431e62b9defcb5141e33c4fc6690fb6d10a9783f6a5f7526d7f40
                                                                                                                                                                                                                                                                    • Instruction ID: eb927be76157fc11e699e41a4b45eb541ff58256a0c1018491236ab8a4e2a06f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18907856382431e62b9defcb5141e33c4fc6690fb6d10a9783f6a5f7526d7f40
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59F14E31B0DD4D4FEB58EA5C98669B937D1EF99311B0540BAE84EC72E7DD24AC42C381
                                                                                                                                                                                                                                                                    Function 00007FFD9B26DE20 Relevance: .5, Instructions: 547COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ba9a96c7953af2fe3787385c0a997667131699b3d83d739a8d046ab156c052a4
                                                                                                                                                                                                                                                                    • Instruction ID: 859ab0d29cd52267500b404d200da1178e692df11312cc451aa2a45c282e410f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba9a96c7953af2fe3787385c0a997667131699b3d83d739a8d046ab156c052a4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2EF14931B0DA8D8FE758EA6C846597977E1EF99340B0501BFE48DC72E7DE28AC428741
                                                                                                                                                                                                                                                                    Function 00007FFD9B26A020 Relevance: .5, Instructions: 481COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5b6c20eed5f53c291a28d6b8aaee14d7ee3d3a02ca58ca45f8c951e6f2337e97
                                                                                                                                                                                                                                                                    • Instruction ID: 7c8f267dbf7476dac9d1040924a49482546ebda5edef60cf517352a7de9c4416
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b6c20eed5f53c291a28d6b8aaee14d7ee3d3a02ca58ca45f8c951e6f2337e97
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4E1D670B1DB4A8FE768EF188465666B7D2FF98300F10457EE49DC32A6DE34B8418742
                                                                                                                                                                                                                                                                    Function 00007FFD9B277146 Relevance: .5, Instructions: 460COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 443bf5ee51566b45ac672895deb3d25d1efb9a9f1890559209b9e8cf2a2f2e6a
                                                                                                                                                                                                                                                                    • Instruction ID: ac045459208bb08944dcf5d8cdf02c0cd38e6a853cf661dce73da9f7810395c1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 443bf5ee51566b45ac672895deb3d25d1efb9a9f1890559209b9e8cf2a2f2e6a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 47E1E870A1DB4D8FE768EF288465666B7E2FF98300F10457EE49DC32A6DE34B8418742
                                                                                                                                                                                                                                                                    Function 00007FFD9B27E66F Relevance: .5, Instructions: 457COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bb82b597aa3f4e824f3392a31e55e0db9328c8f1ecc692c5db331f96d382315f
                                                                                                                                                                                                                                                                    • Instruction ID: 61281f9f1d5770f99ffc8509e55012849fb3f3d1c07b6cc80e705638db107a7b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb82b597aa3f4e824f3392a31e55e0db9328c8f1ecc692c5db331f96d382315f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71D1C731B19D4A4FEBA4FB6C84A5AA437D1EF68300B0541BAD84DCB2A7DD28FD45C781
                                                                                                                                                                                                                                                                    Function 00007FFD9B272CD0 Relevance: .4, Instructions: 449COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 93d0c39391a8ddf4cd4e954da2e2e12e1563ab744943d2206865fe55c2506f84
                                                                                                                                                                                                                                                                    • Instruction ID: d8ae57e0b6607382c9edf9773329ebeee95b53542b3cd89fc48b168e55a9daaf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 93d0c39391a8ddf4cd4e954da2e2e12e1563ab744943d2206865fe55c2506f84
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69C16A72B19E0D0FE7A4EA2C94A97B933C1EF99390F0501BAE44DC72A5DE18AC434385
                                                                                                                                                                                                                                                                    Function 00007FFD9B26D9E9 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e1c73fdb6189f41a0e16831ee372afd037bd3bded7c8d93d20a182ec92221f6c
                                                                                                                                                                                                                                                                    • Instruction ID: cf5584b02b2e26a42cb4c978d21b20d277fae28d98487c6545f4baf410fafa83
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1c73fdb6189f41a0e16831ee372afd037bd3bded7c8d93d20a182ec92221f6c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C4D1433160DB4D8FDB64DB58D851AA5B7E1FFA6350F05026FD08DC32A2DE26A846C782
                                                                                                                                                                                                                                                                    Function 00007FFD9B269FD0 Relevance: .4, Instructions: 432COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f4cc93be6cb1945bc1f22998d7704bc65f9c4973a92c550a58dee4e78898f131
                                                                                                                                                                                                                                                                    • Instruction ID: 1c9c35c208dcbe61494225b8b408b29e80a361e6ecc6f3ca250413005ed05513
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f4cc93be6cb1945bc1f22998d7704bc65f9c4973a92c550a58dee4e78898f131
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1C19C22B1ED8A0FF7A59A6C587567877D1EF99250B1901FAE44CC72FBDD28AC028341
                                                                                                                                                                                                                                                                    Function 00007FFD9B2802B1 Relevance: .4, Instructions: 427COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7c0706fd1af46ea41c03551159ead710de612e6e5ee7563795d1bd9eda56366a
                                                                                                                                                                                                                                                                    • Instruction ID: 54b66058ecdddbed267b9d2e366cc29e853d872ac0c25c11b90b82d148848283
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c0706fd1af46ea41c03551159ead710de612e6e5ee7563795d1bd9eda56366a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17D13A31B1DD8E4FEBA5DB5898B16AD77D1EF99750F0500BAE44CC32E6DD286D028341
                                                                                                                                                                                                                                                                    Function 00007FFD9B26A0A0 Relevance: .4, Instructions: 418COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 763aa22dfaf0aa8231ade41e7a329dd4ad7fb5758ec090a791a14ee1ebad2114
                                                                                                                                                                                                                                                                    • Instruction ID: b5a92a1ecde93b28c2f4066e6cd4e9148c8b91b9fe3811e7e59d406390240175
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 763aa22dfaf0aa8231ade41e7a329dd4ad7fb5758ec090a791a14ee1ebad2114
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00B10921B19E4D0FEBA8EB6C98A567837D1EF9D25074501BBE44DC32F7DD18AC428346
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C9B8 Relevance: .4, Instructions: 414COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0a3ce8cda30d8034ee1959979fa3985156ee25f150f685c3724b7e32c71ea5fb
                                                                                                                                                                                                                                                                    • Instruction ID: 087a5c298be11ee4b19b83ce8e6c2fe9c77c9bff424189f437a3eb106165daee
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a3ce8cda30d8034ee1959979fa3985156ee25f150f685c3724b7e32c71ea5fb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CD19230B1DE4D8FEBA8DB688465B7977D1EF9A300F15047DE48EC32A6DE35A8418742
                                                                                                                                                                                                                                                                    Function 00007FFD9B26AAE8 Relevance: .4, Instructions: 389COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d426dba080af90ed8f392a174516ae81730b4435d22eedbe3daef59bdfd55474
                                                                                                                                                                                                                                                                    • Instruction ID: e8e99280b33c909317b13b6c1773b95181887afa7c27c7c32dffaaf9e592ab65
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d426dba080af90ed8f392a174516ae81730b4435d22eedbe3daef59bdfd55474
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3B1A521B1EE4E8FEBA9DB6C94BAB7437D1EF59300B0500BBD44DC72A6DE18AD458740
                                                                                                                                                                                                                                                                    Function 00007FFD9B263466 Relevance: .4, Instructions: 378COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3d5004cdc05b00bafda9c013dacd96c84afdecf59c5218b1c309a21845eff011
                                                                                                                                                                                                                                                                    • Instruction ID: 916b5f2e2f4922ee5da662e16fc6e8a9a04e303a979d03b13a0a8d200955509c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d5004cdc05b00bafda9c013dacd96c84afdecf59c5218b1c309a21845eff011
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9AD19330A19A8D8FF795EB6C8864AA87BF1EF59301F0001F6D45CD72A6DE295D82CB11
                                                                                                                                                                                                                                                                    Function 00007FFD9B27CF30 Relevance: .4, Instructions: 368COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 42c90cbb8b9aadf704e0db23718300e9b7350c500927d930bc256e67b20849ea
                                                                                                                                                                                                                                                                    • Instruction ID: 9a20195d607eaf1e3338098e84440e95a85f16dfe46c13cad5dbca3d605a2dfc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 42c90cbb8b9aadf704e0db23718300e9b7350c500927d930bc256e67b20849ea
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29C11420B0DB4E4FE7789AA884B82B977E1EF4A310F0641BED45EC71E2DD3E69458351
                                                                                                                                                                                                                                                                    Function 00007FFD9B26B900 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b8136c0d8f54c97273caf342655665e8e8dc46c4b16c77594a389ddf9571a641
                                                                                                                                                                                                                                                                    • Instruction ID: bbf775ad4d2bb653ca6d5fd7854d6c7ec3b94051518225693a7f4bd007ecbbee
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b8136c0d8f54c97273caf342655665e8e8dc46c4b16c77594a389ddf9571a641
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DA14931B0DE4D4FEBA5EB689860AB577E1EF59310B1501BAD48DC72E7CE28B846C341
                                                                                                                                                                                                                                                                    Function 00007FFD9B2686DA Relevance: .3, Instructions: 343COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3e0897f2d56472be263030afb63702f68fe1343762729b52ab80fb40a965c17d
                                                                                                                                                                                                                                                                    • Instruction ID: 504e16acc26874d7c13db9cc42d9b91b69b15c298505659b3f6b4ec8a303fe40
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e0897f2d56472be263030afb63702f68fe1343762729b52ab80fb40a965c17d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 49B10630E0A65D8FE7A4DB68C8647E877F1EF46314F0402BBD04DDB2A2DA381986CB51
                                                                                                                                                                                                                                                                    Function 00007FFD9B273C08 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d0311dc35e9aa9e86d494ce5f4c7fca020f3b38acbd52e154f4642b89b13c38b
                                                                                                                                                                                                                                                                    • Instruction ID: bf0f09610f15e515384f0d7def3bd0e94ff488056fb0284c0b4dcda96697b72c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0311dc35e9aa9e86d494ce5f4c7fca020f3b38acbd52e154f4642b89b13c38b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69A1E13071DA498FEB69DB6CC4A1A71B3E1EF59310B1505BDD08EC72A6DA25FC42C781
                                                                                                                                                                                                                                                                    Function 00007FFD9B27F265 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: da6913a8df5310c1e4dae67cc09e29be1c67b294b6052dfaf45635bd29cbb77d
                                                                                                                                                                                                                                                                    • Instruction ID: 76282c128ada1cc6ef04509b27365815e501be908c6176a9bb5642f19a5d58bd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: da6913a8df5310c1e4dae67cc09e29be1c67b294b6052dfaf45635bd29cbb77d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C4A15831B0EACA4FE764DA6C88A15B437D1EF89310F0601FAD04CC76A2DA1DBD478382
                                                                                                                                                                                                                                                                    Function 00007FFD9B26CCC0 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ea07387f229deb02deeb180abfadbb3313ac27886624ed92a119f5c45737f651
                                                                                                                                                                                                                                                                    • Instruction ID: 5a28d617c79dfddd323e5eb38edfd3e87c6bdeed8a4e6eb74b887ff82598734d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea07387f229deb02deeb180abfadbb3313ac27886624ed92a119f5c45737f651
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DB1E671F18A4E8FEB58EB989465BACB7E1FFA8340F0401BAD45CD32DADE2479418741
                                                                                                                                                                                                                                                                    Function 00007FFD9B26DE79 Relevance: .3, Instructions: 325COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 82bdee9835925d67b70f5cc0e5832682e5e73916e4fa3b6c8d9ce17c7566320a
                                                                                                                                                                                                                                                                    • Instruction ID: 0084ba6872152c70357fc0325140213a9c494e143df71ba0c9f668a93f111f26
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 82bdee9835925d67b70f5cc0e5832682e5e73916e4fa3b6c8d9ce17c7566320a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE912771B1DA8E8FE758EA2C986593437E0EFA9750B0501BFE48DC71A7DE18EC428741
                                                                                                                                                                                                                                                                    Function 00007FFD9B2673E1 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: eb82bd9816cad5410158938c7ffeb35400d6d7fae3a33ab55c87492eb4387c81
                                                                                                                                                                                                                                                                    • Instruction ID: 4c44774a588701851aa2a107beb37ba2c1419b7166b8b4fea5d694eabe5d2f34
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eb82bd9816cad5410158938c7ffeb35400d6d7fae3a33ab55c87492eb4387c81
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9AB1F830E09A1D8FDB98DF98D494BADB7B1FF59300F1541AAD01DE72A5CA38A981CB50
                                                                                                                                                                                                                                                                    Function 00007FFD9B27E37D Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2dae8e68f530c676ec09baf115473888f8568b25c6bb98f9f8ac6752c7248a42
                                                                                                                                                                                                                                                                    • Instruction ID: 22e630933405782fef0a1532a5be63d41b7fa5604738e1e41edecc95bd116bc1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2dae8e68f530c676ec09baf115473888f8568b25c6bb98f9f8ac6752c7248a42
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7331D66260F7C65FD752EA6C58F55A87FA0DF16210B0A01E7C8888F0A7EA147A198362
                                                                                                                                                                                                                                                                    Function 00007FFD9B2663B3 Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5050275c0c3fcdbd8e11f6ab2f38e6f70eef516949d8be33ad505bac4a2ae846
                                                                                                                                                                                                                                                                    • Instruction ID: cd141433644830e5f6b321e669ef5bea3437ac42a4c46a4e0051473937e61861
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5050275c0c3fcdbd8e11f6ab2f38e6f70eef516949d8be33ad505bac4a2ae846
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04B14D30E0A65DCFDBA9DB68C4A47F9B7B1EF59300F5141BAD00DE3291CA796A85CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B263FCD Relevance: .3, Instructions: 313COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 18963f74d8a10eb01e2fa79832947693d8b6500ebbaaf1e002289106a7c6afbd
                                                                                                                                                                                                                                                                    • Instruction ID: 1a871d1d5154ab0a4ceaa9b550b39e5bd70370d11f156de469619715d0908fd6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18963f74d8a10eb01e2fa79832947693d8b6500ebbaaf1e002289106a7c6afbd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DA1F631E0A65D8FE764DBA488617E8BBE0EF45310F5502BFD0ACD71E1DA385A46CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B2748A4 Relevance: .3, Instructions: 305COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2728a376a3ede57da32e890df39dd9f00c9343b3113c278b66d6a76584c71c20
                                                                                                                                                                                                                                                                    • Instruction ID: fcb240fe27a6e5f045458c7f81eb23c452de0b1d2e386b2472e69075da35717d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2728a376a3ede57da32e890df39dd9f00c9343b3113c278b66d6a76584c71c20
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F8915431B1DB4A8FD768DE6884E59BA77E0FF55310B14067ED4AAC31A6DE34F8428780
                                                                                                                                                                                                                                                                    Function 00007FFD9B273C30 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: aaf6b013a43290383c3b06cbb64e04ff76c284b9e5a0ac522e85f52681f6b336
                                                                                                                                                                                                                                                                    • Instruction ID: 87b2d1c5dc2a256e4736d5eba0f090bc3c300f94cdfefc03ec5e577da873f296
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aaf6b013a43290383c3b06cbb64e04ff76c284b9e5a0ac522e85f52681f6b336
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB916430B1DB898FE768DF6884E59BA77E0EF55310F14067ED49AC32A6DE24F8428741
                                                                                                                                                                                                                                                                    Function 00007FFD9B26D469 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 571058f6340ea5d11c7782ef8be0e6d7992f865f79fbca7ce83dfcec118ad787
                                                                                                                                                                                                                                                                    • Instruction ID: 05c1bf8d2f5f605d0eef650be880a2dc38a5b25596ed462c7c363265754fe13d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 571058f6340ea5d11c7782ef8be0e6d7992f865f79fbca7ce83dfcec118ad787
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8691C771F18A5D8FEB58EB989875BACBBA1FF68340F0401BAD41CD31EADD2479418742
                                                                                                                                                                                                                                                                    Function 00007FFD9B267DC8 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8d42b401ea511d914452d98770c6e58eebb2ba683d5d13343a6a4a6dbffc4559
                                                                                                                                                                                                                                                                    • Instruction ID: feb8280c25ae7a26a8810ac1de7d543624eea4a217100fac51d92a8b7db9ad79
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8d42b401ea511d914452d98770c6e58eebb2ba683d5d13343a6a4a6dbffc4559
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9791F571E0A94E8FEBA4EF68D8A5AADB7E1FF44340F41057AE419D32E6DE346D018740
                                                                                                                                                                                                                                                                    Function 00007FFD9B26A015 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 356f149625fc81003ea8ce68d2b6280f4f1bb3655ff659e6c8a10e9d819f5c7f
                                                                                                                                                                                                                                                                    • Instruction ID: 6da865d132197b14eb51ca0ff79796b1cc9a0da48bd72caa066129a64782b65e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 356f149625fc81003ea8ce68d2b6280f4f1bb3655ff659e6c8a10e9d819f5c7f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E3912D71A1CE8A4FE768EB5CC4A5B65B3E1FFA4350F01417AD05EC31E2DE28B9428781
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C385 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f1de1f7a3b03b5526169bcaa8b0cc47820ff54ccec4c0c14368693cd6be364d3
                                                                                                                                                                                                                                                                    • Instruction ID: 23e4765a7952d30bc411b6c695d230abbcffa050bd69bb46cc4556648d5f8e1b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f1de1f7a3b03b5526169bcaa8b0cc47820ff54ccec4c0c14368693cd6be364d3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A813913B0D5574BE3257BBDB8B28E83B50EF4132470A42F7C59D4A0DB9E18714A9295
                                                                                                                                                                                                                                                                    Function 00007FFD9B26EA30 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: fdcad40cd65bf851e860579509b3ee61c11bdad187cc80d55086b8e87841c775
                                                                                                                                                                                                                                                                    • Instruction ID: 48fd19e4ff746c05d51a90e9bec1e3eec635f32cb332d98f58eadb66b13c7834
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fdcad40cd65bf851e860579509b3ee61c11bdad187cc80d55086b8e87841c775
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA715812B0FECE0FF36696AC586527A3BD1DF96A5071500FBD098C71E7ED285D468381
                                                                                                                                                                                                                                                                    Function 00007FFD9B26CCC7 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 594e79f4dff880b2114ee3acf5f0a5b194025f3365a24668c41b9f3267ec14e8
                                                                                                                                                                                                                                                                    • Instruction ID: 985353ccd739ea5e0a0ca75d070e401ebe727d40f128822a7aa9c2c47f791e9c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 594e79f4dff880b2114ee3acf5f0a5b194025f3365a24668c41b9f3267ec14e8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 74710631B0D91ECFE778BBACA4655B877D0EF99321B0501BBD44DC31E6DE15AD428680
                                                                                                                                                                                                                                                                    Function 00007FFD9B264610 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 21f75a2434d9ec8c6a3ec6d44fbf3288bc8b406bb78c458e77f5f5905a14cf19
                                                                                                                                                                                                                                                                    • Instruction ID: 53a8167c9021554a84da5a37397bb1895bc57a76fae7b328cdaf33e8001b7ad0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21f75a2434d9ec8c6a3ec6d44fbf3288bc8b406bb78c458e77f5f5905a14cf19
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DB916071A18A8E8FDB94EF58C854BE9B7F1FF58300F11427AD41DD7296DA34A846CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C970 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a86e09d080a5c9ad0cf7fd5ff878c6edc64be75d75b03825242ae62990c276fb
                                                                                                                                                                                                                                                                    • Instruction ID: da09e76a3fb657132bc54caa9173977867e9b3b4cf095e9f65515575f2e1c657
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a86e09d080a5c9ad0cf7fd5ff878c6edc64be75d75b03825242ae62990c276fb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA71F831B0DA4C8FDB55DB6888A59BD37F1EF9A310B4501BAE409C72A2DE35FD428781
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C940 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c8c9f4ee821ffff59b35e3db7e1b9e4f055805bdcdfaee2051d3d92efa9c5dbd
                                                                                                                                                                                                                                                                    • Instruction ID: cda0ddcc256f2b88da36a655e39f4ae52a6bdd3df138a786d49e52f76be6fee9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8c9f4ee821ffff59b35e3db7e1b9e4f055805bdcdfaee2051d3d92efa9c5dbd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D719231F09C2D9FEFA4EB6CD4696A937E1FF59351F050176D40DD32A1DE28A9418B80
                                                                                                                                                                                                                                                                    Function 00007FFD9B279C30 Relevance: .2, Instructions: 248COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d477d5b61b14842ec92ddc4fc182d45f2ac28249fd373c7a58725c6af6404824
                                                                                                                                                                                                                                                                    • Instruction ID: 8038bcc54a6194ebdd5ed35934898f42ee43596d31348c41099b3b7388622ef5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d477d5b61b14842ec92ddc4fc182d45f2ac28249fd373c7a58725c6af6404824
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A711230B0EB4A8FEB79AB6C84AD57577D1FF59300B16007ED08EC32A2DE28B9418745
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C9E7 Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 16627941e434521804f3776625a3af0964c5cad3d9175748ca488e9577e4e32c
                                                                                                                                                                                                                                                                    • Instruction ID: 798e68ef8a3355782061abeabcfea42f6fd7bf339399e0ef5530b886ea3d0b5a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16627941e434521804f3776625a3af0964c5cad3d9175748ca488e9577e4e32c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D6814B30A1995D8FDFA4EF58C894AE977E2FFA8354F054276E40DE3265CA34E841CB80
                                                                                                                                                                                                                                                                    Function 00007FFD9B27A193 Relevance: .2, Instructions: 239COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 881ab8816cab9e1e615ffa9ab637b2168b6200ceec7169118d6e682b836ed910
                                                                                                                                                                                                                                                                    • Instruction ID: cafe0ddb06844f0d92bf738dd5d3d8f5998c84195bd69a198d27259cab56c4ba
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 881ab8816cab9e1e615ffa9ab637b2168b6200ceec7169118d6e682b836ed910
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC61E423B0F6CD4FF766576858B51A53BE0EF57630B0E01FAD4D88B0A3E918B9068316
                                                                                                                                                                                                                                                                    Function 00007FFD9B26D76E Relevance: .2, Instructions: 236COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bcf925634dcbb87f91b9cf213901d6d04a570ddcb2f8adacf4f1b03484389201
                                                                                                                                                                                                                                                                    • Instruction ID: da9a2c6d2f23b0aaffb8de94cd0add85dd0137cec50a35b57c940093f8f33c97
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcf925634dcbb87f91b9cf213901d6d04a570ddcb2f8adacf4f1b03484389201
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41514832A0EA8D8FE7699A6C88655B877E1FF45390B0501BBD059C31E6DD2929438381
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C948 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8ad4e290b0eb8b2613bfeac368b1c22c18f92fee8a0dbcc902a7cd6d8d19c68f
                                                                                                                                                                                                                                                                    • Instruction ID: a5da00677cbbdd35474fb5fdb965234f7ac53b7bafeffbadec1f0ac29adf464d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ad4e290b0eb8b2613bfeac368b1c22c18f92fee8a0dbcc902a7cd6d8d19c68f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24610E31B0991D8FEFA8EB9CD4A4BA973E2FF59351B450479E04ED72A1CE24ED418B40
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C961 Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9b1faa3a9f6d69b7825a1398fa5f0c80ee36258ae7f42920b2cb3d803a566fdc
                                                                                                                                                                                                                                                                    • Instruction ID: 8eef535d748ae2a2d8903bb8b4bbe022edd571bb3fafd4f91c640e34cf110e20
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b1faa3a9f6d69b7825a1398fa5f0c80ee36258ae7f42920b2cb3d803a566fdc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 86519F71A1CF4C8FEB64EB4C98566FD77E1EB99310F05013BE44AD3261EA35B9428782
                                                                                                                                                                                                                                                                    Function 00007FFD9B268A55 Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9b31085e90dc910c251cb799757cc991bef612d5fd1e849cef946e8aeb65bc0a
                                                                                                                                                                                                                                                                    • Instruction ID: 0fe924e30e1da3d58143e6f3fb93c1387f831fdf7aed5f165a62479905acf78f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b31085e90dc910c251cb799757cc991bef612d5fd1e849cef946e8aeb65bc0a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E61D371E0A64D8FEB65DBA894616F97BF0EF45304F05017BD048DB2A2DB3D5982CB50
                                                                                                                                                                                                                                                                    Function 00007FFD9B27CE18 Relevance: .2, Instructions: 225COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: db2619184a8eff66d6bc8d3edabe8642be3f975165921818e7dbca65332e2cda
                                                                                                                                                                                                                                                                    • Instruction ID: acac220b7f9f050edda021fa90e0580eba02110f70abba839a59e309c3907d62
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: db2619184a8eff66d6bc8d3edabe8642be3f975165921818e7dbca65332e2cda
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C661143060DB498FDB68DA58C4A56B9B3E1EF95300F11427ED44AC72B6EE39F942C781
                                                                                                                                                                                                                                                                    Function 00007FFD9B264667 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2c05804b7081a401c44f3e78018a0be763f00c377ff7031002021ce81582a1fc
                                                                                                                                                                                                                                                                    • Instruction ID: 59078399d76ade6209a5b187d057ff2cec48d8d6ecb04e270eb9de1e2b05bc0a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c05804b7081a401c44f3e78018a0be763f00c377ff7031002021ce81582a1fc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A671FE70A1894E8FDB84EF58C895AE9B7F1FF58300F50426AD41DD7296DA34A846CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B2680DD Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a6c27d6cb8a1b7d0673f658db2903d3e381c681bb6ca7aa01db13e2b4391733d
                                                                                                                                                                                                                                                                    • Instruction ID: 83d5e504ff975ac423d95ab6009c476aebae5a6e4f5291fd19c85e754764f0eb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a6c27d6cb8a1b7d0673f658db2903d3e381c681bb6ca7aa01db13e2b4391733d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B813B30E0965D8EEB68DFA8C8647FD76B0EF59304F5001BAD019E72E6DB381A85CB51
                                                                                                                                                                                                                                                                    Function 00007FFD9B273C40 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f56526035787dfe638c2ac4d19063dfad7a9f7f182643c69e2118d892a474a2b
                                                                                                                                                                                                                                                                    • Instruction ID: 24bd767910a2d49cd766f86fd934b2a061a63611ea72359935d41c42f5760043
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f56526035787dfe638c2ac4d19063dfad7a9f7f182643c69e2118d892a474a2b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B51213072AA0E4FE7689B5CD894A75B3E0EF99310715027ED44EC32A2DA25FC83C785
                                                                                                                                                                                                                                                                    Function 00007FFD9B274005 Relevance: .2, Instructions: 214COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 30b8fbcc2fb5792bc80b578cccf2f0896b23dbad11fff629840152d6bc475d58
                                                                                                                                                                                                                                                                    • Instruction ID: d9a9c827608074eabbcfd089494d27c7ec2312118523736693cf7e959bc038a3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 30b8fbcc2fb5792bc80b578cccf2f0896b23dbad11fff629840152d6bc475d58
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88513621B1EA4F0FEBA8A65C64B15F977C1EF45320B5501BBD84EC71A7ED09F9428344
                                                                                                                                                                                                                                                                    Function 00007FFD9B26E648 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: dce9953200ec461c804c37f09449f062d83b26b79b9e7978aeaf1fe36618771f
                                                                                                                                                                                                                                                                    • Instruction ID: 8b4d1b1220d89130cb304f55f3903edc1d873c7b8a6f2921a13e913bbc0ff172
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dce9953200ec461c804c37f09449f062d83b26b79b9e7978aeaf1fe36618771f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA51313071AA0E4FDB68DA5CD896A7173E0EF99310B15067DD84EC32A2DE25F8878785
                                                                                                                                                                                                                                                                    Function 00007FFD9B265B6A Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: de122796a1dae3651380bcbbf802755da3849e07b84e23a51cc70867228d17f7
                                                                                                                                                                                                                                                                    • Instruction ID: 2904edb832fc74e2a42d94a9d8fbafa058eeaf8abd81c04395affd9f07a69c8e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: de122796a1dae3651380bcbbf802755da3849e07b84e23a51cc70867228d17f7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F61F43094E7898FE796DB68C864BD97BF1EF4A300F1501EAD048D72A2CA3D5986CB10
                                                                                                                                                                                                                                                                    Function 00007FFD9B26A900 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 541274a7b41889071d25276b065fb5b8b6abda2af83ead713acbfa4530f60d54
                                                                                                                                                                                                                                                                    • Instruction ID: fca30e92a1868a0eea8360f3c0a6a5056f129f0de35fb13f22521caf84ea33f4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 541274a7b41889071d25276b065fb5b8b6abda2af83ead713acbfa4530f60d54
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 32510B52B0FACE4FE3669BBC58711B5BBA1DF4321471902FBD498CA0EBDC095906C351
                                                                                                                                                                                                                                                                    Function 00007FFD9B281619 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d8bbb49d1b2aa72884cdddda270bfd18c0c0b3e6128febb5c7f13c62d1b0aaec
                                                                                                                                                                                                                                                                    • Instruction ID: 3f129153a14269c10ba5cedcc8bd7cb2ab8c9afe68f0eb102452ee816ffd017f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8bbb49d1b2aa72884cdddda270bfd18c0c0b3e6128febb5c7f13c62d1b0aaec
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD51E620B1DE5D4FDBA5EA2C8465AB937D1EF98741F0501BBE44EC32E7DD28A9418381
                                                                                                                                                                                                                                                                    Function 00007FFD9B2735A0 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 740821b55c3eb45f28e82d7215468d6d9f3b3fab1ff7f2cc7fff1c3ee42909d0
                                                                                                                                                                                                                                                                    • Instruction ID: 5d8d258b05ee5449fb48f7c74e6ff8ce6e765a248f8c4a524a5c91913e1c35b2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 740821b55c3eb45f28e82d7215468d6d9f3b3fab1ff7f2cc7fff1c3ee42909d0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A951F671B0EA8D4FDB94DFA888A46B87BE1FF99340F1401BBD458C72A6DD256A02C744
                                                                                                                                                                                                                                                                    Function 00007FFD9B2605A0 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3bb7cd48180ccae2d6b37c47902cdce7745d0e3bfa287c0685e3f5bcc54d7026
                                                                                                                                                                                                                                                                    • Instruction ID: d36418e261d5412b7b39877118e166555b8b28bab827df05d82c99fcfb0baed9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3bb7cd48180ccae2d6b37c47902cdce7745d0e3bfa287c0685e3f5bcc54d7026
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 07515B30E1965DCFEB68DF98C4A06FDB7B1EF49300F21013AE00AE32A1CA796941CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B26ADFA Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d8a834f934c91773dbbcd9d49365ad0c40589235f0f114968679740a97d2afad
                                                                                                                                                                                                                                                                    • Instruction ID: 12cc81311761a8d13637dc2e6b0c94b3b3d0e209246dec2d0f8e05e73208d274
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8a834f934c91773dbbcd9d49365ad0c40589235f0f114968679740a97d2afad
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A541F722B0ED4E4FD7A8DB6C94606B673D1FF9A25074502BBD44DC7296DD19E8028381
                                                                                                                                                                                                                                                                    Function 00007FFD9B268AA5 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8666697c98062e1bdf5e532016f3f37efd60531025fb8bf538125de2f4a75bdd
                                                                                                                                                                                                                                                                    • Instruction ID: 9d48250d27fcc774be2e2a0f08e4469f6ce01ee55d59515394a0cd2ecc12a4d6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8666697c98062e1bdf5e532016f3f37efd60531025fb8bf538125de2f4a75bdd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A2511870E0E69D8FEB55DBA898656E97BF0EF45314F0501BBD048DB2E2CA3C1942CB51
                                                                                                                                                                                                                                                                    Function 00007FFD9B27A1F3 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e5b8c05d82a05c48800d4405940f334438676c63e82346a8511b8a09c0a076ee
                                                                                                                                                                                                                                                                    • Instruction ID: 8b767e36bfee56ca58bbc8c96bb63bdd2ad42633ec02b6024b927483d5ad9970
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5b8c05d82a05c48800d4405940f334438676c63e82346a8511b8a09c0a076ee
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4741F622A0F6CD5FE765576C98B61613BE0EF67630B0A01F7D498CB1A3EE14BC068315
                                                                                                                                                                                                                                                                    Function 00007FFD9B27E8FB Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4a0042bb8e08ea7ebc53ea07fdd0ad2376b2f2d17385e6acc73a75666a66d215
                                                                                                                                                                                                                                                                    • Instruction ID: 0ee0465079414148c2787033045689efee3458cd6090a5b420cdd6e1f85fd7c2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a0042bb8e08ea7ebc53ea07fdd0ad2376b2f2d17385e6acc73a75666a66d215
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 15510561B19D4A8FEB94FB6C84A5AA437D1EF69300B0541BAD44DCB2E7DD28AD428381
                                                                                                                                                                                                                                                                    Function 00007FFD9B27AFD9 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0f9e6a1b0ccc3f2509a46d7d93d60363fb48e323d605ac65d725f966f999c3ca
                                                                                                                                                                                                                                                                    • Instruction ID: 2e39ab48655ba31dae13758683b2f675888b134c5c5b1a8dff4aaeb3a91bfb55
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f9e6a1b0ccc3f2509a46d7d93d60363fb48e323d605ac65d725f966f999c3ca
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A511870E0961D8FDB68EFA8C4A5BECBBB1FF59304F51006AD009E7292DB356985CB05
                                                                                                                                                                                                                                                                    Function 00007FFD9B26CD7D Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7af6b5e27de3b610c8b6ce0df000e032989060abf3d5a94b2b6ee4ecfbbb7e71
                                                                                                                                                                                                                                                                    • Instruction ID: e844db3904b424b01b889700b332ff6d2996c87c802ffd55e3bbba8475374e47
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7af6b5e27de3b610c8b6ce0df000e032989060abf3d5a94b2b6ee4ecfbbb7e71
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 39412A36B1D92ACFE768BA5CA4154EC73E1EF9936170501BBD149C32E6CE26BC0782C0
                                                                                                                                                                                                                                                                    Function 00007FFD9B274C00 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 330f3b21130390a1dc681638b5147ba045778f6b984ae4ca66c8673ab0ccfd4a
                                                                                                                                                                                                                                                                    • Instruction ID: f926b1b60a3a61b3550cd6012c532da177d5eebd82eb52fcb14bf006e69ba2b9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 330f3b21130390a1dc681638b5147ba045778f6b984ae4ca66c8673ab0ccfd4a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4941E622B1AD4E4FE7B9D75C80B5B7923D1EF88340B5901BED45EC72A6DE08BD028381
                                                                                                                                                                                                                                                                    Function 00007FFD9B27F031 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 157d67772f4d270d4864847c680b87b0cd04deb6a104669652a709eff2a7d8f8
                                                                                                                                                                                                                                                                    • Instruction ID: 78363d75555a6e6b8e5556d3e04f421a0ecbefe33b8bd437d8a9206076caf667
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 157d67772f4d270d4864847c680b87b0cd04deb6a104669652a709eff2a7d8f8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F341E32071DA8D0FE798EB6C98A9A7577D2EF99310B0501BED44EC32E7DD19BD428341
                                                                                                                                                                                                                                                                    Function 00007FFD9B274131 Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9a1179c896201deef4820b345b2aea819e5b77527076adbbe12a22ac4fbcfcba
                                                                                                                                                                                                                                                                    • Instruction ID: f1051dd3bd19489c265faa7e802cee65e70c83a98535ef3468d84f082fdfd499
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a1179c896201deef4820b345b2aea819e5b77527076adbbe12a22ac4fbcfcba
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF51A471E1995D4FEBB8EB68D8A57AC77B1FF58300F1001BAD05DD3296DE3869428B04
                                                                                                                                                                                                                                                                    Function 00007FFD9B262F45 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bfa7b6ab662dbcae80cc0e3fcb983d5e1fdebe0a894289eb67b934061d9de91b
                                                                                                                                                                                                                                                                    • Instruction ID: 59d04e8cc7d216268a9060acd1d5e64aba9491e9cc2b77e3b77517d3621c5ec7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bfa7b6ab662dbcae80cc0e3fcb983d5e1fdebe0a894289eb67b934061d9de91b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4510870A09A1D8FEF94EFA8D454AEDBBB1EF59300F51017AD40DE32A1DA34A941CB80
                                                                                                                                                                                                                                                                    Function 00007FFD9B278423 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3cf281a8793d0aafd1729d2aab3ad16f01c89f768b32241ddd0554780f9f7a83
                                                                                                                                                                                                                                                                    • Instruction ID: 467714d3e7fc06f6a62a632b6d437d805911e8c2ff3f6a7e85db6eac5db65f82
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3cf281a8793d0aafd1729d2aab3ad16f01c89f768b32241ddd0554780f9f7a83
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B941C13170DE4D4FDBA8EB5C98A4B7477E1FF69310B1501ABD48DC72A2DA25EC418782
                                                                                                                                                                                                                                                                    Function 00007FFD9B262F38 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 92246e1add03a5f7e54789bc54c0199e15ab729f8f0fcbb0e9304809e42f223d
                                                                                                                                                                                                                                                                    • Instruction ID: 8fa2bdc388673234284aeb7e38a829a905497bbb08f554c19398505056bf8105
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92246e1add03a5f7e54789bc54c0199e15ab729f8f0fcbb0e9304809e42f223d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69413930A09A1D8FEF64EFA8D454AEDBBB1EF59304F11017AD40DE72A1CB34A941CB80
                                                                                                                                                                                                                                                                    Function 00007FFD9B263C3D Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 96b532aeffdf599b4f7eb7524c46f384907ca21f9b5040dc417d2f8dffde85b9
                                                                                                                                                                                                                                                                    • Instruction ID: ebefca4220f7e5eb17751ff295fb9cb73897b756ce7c6f51487249ee79cf78ec
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96b532aeffdf599b4f7eb7524c46f384907ca21f9b5040dc417d2f8dffde85b9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E7416A31E0965D8FEB58DAA8C8A56ED77F1FF58300F10017AE059D72A2DB396946CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B26A01D Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5f50b4fa7c8498280fbff33f1fee2ad12060bae30db6809bf391cc85d1eb93e9
                                                                                                                                                                                                                                                                    • Instruction ID: 86f5b497534ad4ce8cc3de2140e928790ce7b02738b6b8f0e2c1a3a2eea04e31
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f50b4fa7c8498280fbff33f1fee2ad12060bae30db6809bf391cc85d1eb93e9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DB418B3261CB894FD354FB68AC65AEAB7D4FFE5310F05067BD04AC3192ED14A94987C2
                                                                                                                                                                                                                                                                    Function 00007FFD9B275A2C Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 77377a08f0c3258c09f93f061a1d31df87150131a85603861fdb3da0beb699f4
                                                                                                                                                                                                                                                                    • Instruction ID: 1a7b297bb6551af082621718ec8500c174dca398f4a9a13c47f469be69f582c7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 77377a08f0c3258c09f93f061a1d31df87150131a85603861fdb3da0beb699f4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4941282170EA8E4FF369A67C58A16B07BE1DF5A310B0900FBE459C72E7DC1DAD828355
                                                                                                                                                                                                                                                                    Function 00007FFD9B26C65D Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 92bff43c11ffe74ad34f6043cfceec0522b7102859be4fcbb1d162034947065a
                                                                                                                                                                                                                                                                    • Instruction ID: b5252dda512d7b9b0801d59d1c1df433ae9fd8710a2c601a830de65759acd8dd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92bff43c11ffe74ad34f6043cfceec0522b7102859be4fcbb1d162034947065a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A341D73071E92D4FEBB8EA5C9465BB933D0EF5A710B11047AE48FC72A2DD15ED424B81
                                                                                                                                                                                                                                                                    Function 00007FFD9B2638E1 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 887fbc42835fb80c3f57a4457926d67fe43ef28d4e0d1454c15d3e9f6d5fbe5e
                                                                                                                                                                                                                                                                    • Instruction ID: 964dd815630a55fa0fc656485faa3bea79e396ba8a613a8b375252edc1ce01d3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 887fbc42835fb80c3f57a4457926d67fe43ef28d4e0d1454c15d3e9f6d5fbe5e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3416130E09A8DCFEB41DBA8C450AED7BF1EF59310F0501A6D058D72A2DB389981CB51
                                                                                                                                                                                                                                                                    Function 00007FFD9B275150 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bb82958037e2e13265c5cb7828a8a0704085b13b9f97f2eef2e85b5759c04c38
                                                                                                                                                                                                                                                                    • Instruction ID: 360be2ecc95b6f57423ef62417d0ff128756a1af894502f465108bd763819d88
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb82958037e2e13265c5cb7828a8a0704085b13b9f97f2eef2e85b5759c04c38
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D41943071DE8A8FEBA5EB6CC0A0E6277D1EF59300B1545B9D04EC72A6CE29F945C740
                                                                                                                                                                                                                                                                    Function 00007FFD9B26F198 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d1a336a72d71a5b3479507adadd307072f75b2e745e4d1bd731002a31b8e2a1a
                                                                                                                                                                                                                                                                    • Instruction ID: 1192153a3559c4c67a77a44301cb04faf5c644ff38faeb41f684136e51e8b3b1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1a336a72d71a5b3479507adadd307072f75b2e745e4d1bd731002a31b8e2a1a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 80419231B09A0D8FDBA8DF9884A56BA37D1FFA8350F11057EE40DD32A5CE35E9028785
                                                                                                                                                                                                                                                                    Function 00007FFD9B267120 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b65fb96701bdaf511b6efb76f6196366565cb4db6bb8fef8bdf286bc059902eb
                                                                                                                                                                                                                                                                    • Instruction ID: 79d79b3016dd4cfae2fa41322da6432c7b4805ba5f8328f1b89f87fe5ad2de68
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b65fb96701bdaf511b6efb76f6196366565cb4db6bb8fef8bdf286bc059902eb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52311831B1DE0D8FE768EA5C986957977E1EF9D311B05017FE04DC32A6DE25AC0286C1
                                                                                                                                                                                                                                                                    Function 00007FFD9B265768 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 66ce27617b581232e1d7c3a2f32e7a8ab62f56a47a6476885040ced0a6be4911
                                                                                                                                                                                                                                                                    • Instruction ID: 12265da094695dc6a4658c14a3fdad8403fb74c7715585bb99b40124c7756826
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 66ce27617b581232e1d7c3a2f32e7a8ab62f56a47a6476885040ced0a6be4911
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA418231E0A64DCFDB69EBA8D4656FCB7B1FF49310F15047AD009E32A2CA795941CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B2684C1 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 814cc45172916b45cc4f6ff2d96dd415e86693385bf273b024faea0f39e0a4f4
                                                                                                                                                                                                                                                                    • Instruction ID: fb6caa78fe13b5fc5f98cd4a1f6befcc91a09d1c7c0130e91af00404cfb193ac
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 814cc45172916b45cc4f6ff2d96dd415e86693385bf273b024faea0f39e0a4f4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E41CE30E0AA4D8FEB94DBA8C4646EDB7F1EF59300F55007BD049D72A2DB3869828B41
                                                                                                                                                                                                                                                                    Function 00007FFD9B275148 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 84240b23692897c77e2f88126ac1d504047819601327e3aa16de6500734b62d5
                                                                                                                                                                                                                                                                    • Instruction ID: 1d53b7e79930b8575346a4b8954b9a6a84b8836e875e0674f4def6ac4ce1196b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 84240b23692897c77e2f88126ac1d504047819601327e3aa16de6500734b62d5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7418330719E8A8FEBA5EB6CC0A0E6177E1EF59300B1545A9D04EC72B6CE29FD45CB40
                                                                                                                                                                                                                                                                    Function 00007FFD9B267170 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d849e0a827f8a36969a253d6a194bb8ab38cf91677bd61360a6ffcb0cd7a7d0e
                                                                                                                                                                                                                                                                    • Instruction ID: ff60e1144860a54107425df5d220ebf128249e798cb62f892856e77af25cdac0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d849e0a827f8a36969a253d6a194bb8ab38cf91677bd61360a6ffcb0cd7a7d0e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E331D472B19D1C4FEBA4E75C94A9BBA37E1FF98390F0501B6E00DC72A5DE14AC028781
                                                                                                                                                                                                                                                                    Function 00007FFD9B26BF69 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ffda88c7bd4514957f433c1960c0e01ff0e4669dd0fd57443af3096527c79505
                                                                                                                                                                                                                                                                    • Instruction ID: cf16b5e0e1088e2e45bb87611edb9a6fd1370e8fb570a74b95db688da7254cc3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffda88c7bd4514957f433c1960c0e01ff0e4669dd0fd57443af3096527c79505
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43310722B0EBCA4FD7A69B6888755647BF1EF9624070A41FBC089CB1E7DD0C99068702
                                                                                                                                                                                                                                                                    Function 00007FFD9B26BDE7 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1fa94ffcd201b9c4e9438b05cf187cbbc486bdc32a7bfe31cc1572f33a294eb7
                                                                                                                                                                                                                                                                    • Instruction ID: 65dba8f9c57c66061a1ce605bd39ba17ca29f74a48e8dca098de28c896979442
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1fa94ffcd201b9c4e9438b05cf187cbbc486bdc32a7bfe31cc1572f33a294eb7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C313F22B0EE8E8FE774DA5854AAAF477E1EB58350F0402BBD45DC31A7DD2969478340
                                                                                                                                                                                                                                                                    Function 00007FFD9B269FC8 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c5eb83ba05391f758edd36182b6c46279d33b04833a5a9b637dc2ceb85e08e9f
                                                                                                                                                                                                                                                                    • Instruction ID: 40f6c2c8881110651abbcd9e7f1624b51bf8696c73df6b817e1f26b6d9cb0eb2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c5eb83ba05391f758edd36182b6c46279d33b04833a5a9b637dc2ceb85e08e9f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77313C22B1FE894FF7B5956C58A966867C1DF9564471901FAE49CC72F6EC24AD028300
                                                                                                                                                                                                                                                                    Function 00007FFD9B27CF3D Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d2f761e218e85e9184c52cc88f2a154c6d42788b83a508fec0c931803f8644ea
                                                                                                                                                                                                                                                                    • Instruction ID: 180a299ec66a15ef74f2f9ae7181e313f02a2f26c311253c51547a86bac4bdf7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d2f761e218e85e9184c52cc88f2a154c6d42788b83a508fec0c931803f8644ea
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D031AF30719E098BD769AB68C4A4AB973E2FF58300F61417DD05FC32A5DE35B9428785
                                                                                                                                                                                                                                                                    Function 00007FFD9B274040 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6340d769dc80bd0774ce114bd8f675f1354979216bc1adfd6b0ddb1aba20b839
                                                                                                                                                                                                                                                                    • Instruction ID: e8ff676a79c75c0bf099ecbc543b6db8224458eb8f38ec6544bb6619a5baf286
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6340d769dc80bd0774ce114bd8f675f1354979216bc1adfd6b0ddb1aba20b839
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4621E622B0ED0E0FEBE8D55C54B5679A3C2EBD9291B544176D84DC32A9EE25FD028384
                                                                                                                                                                                                                                                                    Function 00007FFD9B285B70 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b9ea4f68e3b681717517a77b120bee69b0c410ea3ba81a2e654878b70ce276e5
                                                                                                                                                                                                                                                                    • Instruction ID: 36a8db33b22ce91a1a1a82b330385aeedb8ea666abb6de74c9b1ea3da5355307
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b9ea4f68e3b681717517a77b120bee69b0c410ea3ba81a2e654878b70ce276e5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1731D72170EB890FD7669774886956A3BF1EF56310B0640FBD489CB1F7DD286C06C361
                                                                                                                                                                                                                                                                    Function 00007FFD9B26BB15 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: fc34d19ddbcb4454d2ec0a40612160d487a87b46d89953b35b1e6988be4d7c97
                                                                                                                                                                                                                                                                    • Instruction ID: 24ddf4b387bf8b4d6d3ac574d24cc5c91d8497cf370b6537ef2b7b870b362ba5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc34d19ddbcb4454d2ec0a40612160d487a87b46d89953b35b1e6988be4d7c97
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE312771B09A8ECFE758EBA88825AE57BF0EF55310F0402B6D459C71E7EE2929428740
                                                                                                                                                                                                                                                                    Function 00007FFD9B26F1D0 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7c82117b45020edf234eb8ac402c024531d62b9ee46214cbaf97f3bf0acb0f23
                                                                                                                                                                                                                                                                    • Instruction ID: c6e1f5a8ce4052a1f46c086f295560f61f55707c1b206ac4b6559c26e220247d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c82117b45020edf234eb8ac402c024531d62b9ee46214cbaf97f3bf0acb0f23
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2231E731B0EA4A4FE7A0C9589494675B7D1EFA8364F05057ED44CD32B2CA59FAC1C38A
                                                                                                                                                                                                                                                                    Function 00007FFD9B27D010 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 34e428d838fdc02c650d3223fa7194baa33702baa4c0267c80ed67e57d6a2ba9
                                                                                                                                                                                                                                                                    • Instruction ID: 92bd5a99fe865b70b38023824ed97b7689d37702ca24b4e7e3779ef14825d102
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34e428d838fdc02c650d3223fa7194baa33702baa4c0267c80ed67e57d6a2ba9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C31E232B1991D4FDB64E79CA4A5BF933D0EF98370F0501B6E44DCB2A6DE14AC428385
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C637 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e96b27e2d2cbdb4698d6b29552ed5f217dee270d876b549deb4c3ffcaa624b0f
                                                                                                                                                                                                                                                                    • Instruction ID: b3a70be3818e79eb37b2ec0e0e88c854ff023c43f6a54a995dd19cd8c5ee0ec9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e96b27e2d2cbdb4698d6b29552ed5f217dee270d876b549deb4c3ffcaa624b0f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC313A52B0EA4E4FF774A6AC64A86793BD0EF89260F06457FD44DC31A6ED2A3D424380
                                                                                                                                                                                                                                                                    Function 00007FFD9B276E79 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4317ff714d10b59dcd3fa310698712e6b04633baa1562a333eec5f194c4e5dbf
                                                                                                                                                                                                                                                                    • Instruction ID: 9e3fca5bf7c776360b48835754e8e0b0912f20db0dcd23e960f8c4f5809e75e3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4317ff714d10b59dcd3fa310698712e6b04633baa1562a333eec5f194c4e5dbf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 81315D7190DBCA4FD755EB38C865965B7E0EFA5310F0402BAD48AC31E2DE28B942C743
                                                                                                                                                                                                                                                                    Function 00007FFD9B270DD0 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5cff506a0b7d413b03ea603f0b0f9ce9789bd0d94c5f31aa84a602fadfc85fbe
                                                                                                                                                                                                                                                                    • Instruction ID: 6edf1294b5f6abad402ac7a4db2dde9b73bdc579b751e75a15a618a2402f3938
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cff506a0b7d413b03ea603f0b0f9ce9789bd0d94c5f31aa84a602fadfc85fbe
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D721373270994D4FEBA4DB1CE8607B677D1EF89360F4501BAE44CC73A5CE1AAD468381
                                                                                                                                                                                                                                                                    Function 00007FFD9B27F171 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8fae330b33da2d3f155820155993b9b19eec340e5b02ef67ea7a2c397653712f
                                                                                                                                                                                                                                                                    • Instruction ID: 74b6215b92670fce5bc6b8ee6a2d9e8b0197ccf398b1ede5e61d658eb8443d35
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fae330b33da2d3f155820155993b9b19eec340e5b02ef67ea7a2c397653712f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B821F77271DA190FE7689A1CA85A5B577D0EF89361B0501BBE44DC32A6CD196C8282C6
                                                                                                                                                                                                                                                                    Function 00007FFD9B2681AE Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ee9f87dcfb6ecc2134b93106c2de4a6f9fc6e8892cb254ad9b4a797e0d33fde5
                                                                                                                                                                                                                                                                    • Instruction ID: 3347a2cad8dc0ef6c8ed52ee93adeb57fe2199aef085f05193a1518fc95c8914
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ee9f87dcfb6ecc2134b93106c2de4a6f9fc6e8892cb254ad9b4a797e0d33fde5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DD413C30D0966D8FEB58EF68C8A47B976F1EB54301F5000AAD01DE72E6DB381A85CB11
                                                                                                                                                                                                                                                                    Function 00007FFD9B27D84C Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6c4bdc5edd4710c5302ea65b2fe47f39c14efc6af851f990cdcd66f237ca5fa0
                                                                                                                                                                                                                                                                    • Instruction ID: 77fe358c2c5b8cfb78fbb1f6d9c40baeff08c2c29ccff8f5be37dba81edc6ea2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c4bdc5edd4710c5302ea65b2fe47f39c14efc6af851f990cdcd66f237ca5fa0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7131B370A09A5D8FDB95DFA8C895BEA7BF0FF19341F05007ED449D31A2CB28A941C794
                                                                                                                                                                                                                                                                    Function 00007FFD9B2798D8 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f967500a431a622dd3ac70f4ebdbfdfc0c0c6fea4b04fca850a30f36accca1ba
                                                                                                                                                                                                                                                                    • Instruction ID: c1b505416860a6e068d81e2e6169340e536b9af77b0b4b699e50e53eeea5a465
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f967500a431a622dd3ac70f4ebdbfdfc0c0c6fea4b04fca850a30f36accca1ba
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1731D03150EBC58FD7578B6898A42907FF0EF47220B0E00EBC489CB0B3E6689C4AC751
                                                                                                                                                                                                                                                                    Function 00007FFD9B26E948 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 74cbb12f235239e98f8e1dd374a6b376c2ea5e5323357721465fb05374c8f042
                                                                                                                                                                                                                                                                    • Instruction ID: 87e1f10448b6f672e2b653866da064fc4695d4ea5aa6e9ede8b715ca714f8013
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 74cbb12f235239e98f8e1dd374a6b376c2ea5e5323357721465fb05374c8f042
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D431296171FACA4FE762A77CC8A59643BE1DF5624070940FAC088CB1F6E918B846C351
                                                                                                                                                                                                                                                                    Function 00007FFD9B276D69 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 47f0ebb9532b035964f831a8b02d11993574f8ac831b909b6e2762e96d2638cb
                                                                                                                                                                                                                                                                    • Instruction ID: bb3db7434eaf568b4063d8fd2d77b550fc56f9d16f07ffeb1a4cdcc8c0e0f34e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 47f0ebb9532b035964f831a8b02d11993574f8ac831b909b6e2762e96d2638cb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E431B46161FBCA4FE763972C88A49A43FB1EF5625070E40FBC484CB1B7E919A84AC351
                                                                                                                                                                                                                                                                    Function 00007FFD9B26BB05 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 932a016e10b98217e676fc6bca272c28d986b3384bc0613771e27166eebdfead
                                                                                                                                                                                                                                                                    • Instruction ID: 4f248b258592477d78fe6aeda1f0ab19a3559a778c171c8310a2dcc85890beb7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 932a016e10b98217e676fc6bca272c28d986b3384bc0613771e27166eebdfead
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE310321B0EA8FCFE348EBA89436AF87BA1EF19350F0401B6D419C71E7DE1D29428751
                                                                                                                                                                                                                                                                    Function 00007FFD9B26BE16 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4933e6e92a964b7c4cde7f1aea7ecc4a86da9da5fe9d16db66301039d77cb671
                                                                                                                                                                                                                                                                    • Instruction ID: 54450bb86bfc4285ccde4fd3e66751f584eb4c9129ec736a1e0af3eaf0b5baba
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4933e6e92a964b7c4cde7f1aea7ecc4a86da9da5fe9d16db66301039d77cb671
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34217022B0FE8E4FD7A5DA58449A6F477E1EBA9250B0502BBC44DC31A3DD1C6D478340
                                                                                                                                                                                                                                                                    Function 00007FFD9B272B9D Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8e74a30e4f8726f2635a08d804c91b115a526f539d9b4a9afe2b090af78c70db
                                                                                                                                                                                                                                                                    • Instruction ID: 26582ff0abe049b2f756ad0d5b769406d7c6df3a94e9640d85774a28b8852a7d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e74a30e4f8726f2635a08d804c91b115a526f539d9b4a9afe2b090af78c70db
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA214B72F0F9690AE7BC45AD78B50B47FE1DF8A26571A02BBD44CC61B6DC161C428780
                                                                                                                                                                                                                                                                    Function 00007FFD9B272969 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bb9ffeb5acb09cc5524ff78a5a59cb359de85dc426d1b0c068fa3d1c476585a5
                                                                                                                                                                                                                                                                    • Instruction ID: 6fe7a15b468bfb87d9970371822f99727568d93edc2a3ead8eba787246132674
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb9ffeb5acb09cc5524ff78a5a59cb359de85dc426d1b0c068fa3d1c476585a5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D131AE22A4F7C94FD76B877898A54A03FA1DF4322032E41EBD084CB1E3D90EA947C356
                                                                                                                                                                                                                                                                    Function 00007FFD9B263AA5 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 723519a59a81f7e01eb86cd6565f7729c78ef31a2bb5897b1f668292da5f3fe4
                                                                                                                                                                                                                                                                    • Instruction ID: 1bccf93139c79f458cb58d09d3904f5e6a18d5a2d78883484afb8cf51dd7d7c7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 723519a59a81f7e01eb86cd6565f7729c78ef31a2bb5897b1f668292da5f3fe4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0931A271E09A8D8FEB55DBA8C4605ED7BF1EF59300F0500A6D058D72A2DB399982CB51
                                                                                                                                                                                                                                                                    Function 00007FFD9B284B02 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8f48496d43970abac670004a5e8b2f3ed72e80002b200dbb8d94836291120778
                                                                                                                                                                                                                                                                    • Instruction ID: e5f3881f657118eb608a2f86f909124a7f7b79148e37f33b7c8041cb1c61bc09
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f48496d43970abac670004a5e8b2f3ed72e80002b200dbb8d94836291120778
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8121F372B0DE0D4FE768AA5C74621BC73C1EF85325B05027FE05EC32E6DE29A8024245
                                                                                                                                                                                                                                                                    Function 00007FFD9B265201 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: dddeac28d68a0dd0947e1d9be0a9ce484ad080aedf5235b11a4de33773d710a0
                                                                                                                                                                                                                                                                    • Instruction ID: 2726476c361095b70945032e6529046fd0ddeb9b7bd890e3149ef7aa0ab930b0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dddeac28d68a0dd0947e1d9be0a9ce484ad080aedf5235b11a4de33773d710a0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C4217F70D09A5D8FEB94EFA8D8656EDBBF0FF59300F04006AD418E3295CB39A9418B81
                                                                                                                                                                                                                                                                    Function 00007FFD9B275DDD Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 21cebdb4e2ac82516005d2eff5abaaae09b9b3266d4fa51957513bf187d5ba5a
                                                                                                                                                                                                                                                                    • Instruction ID: 28609530e1a47bc753131f82a6d181aa9bc4ac37b2829e0b4d441f40587fbff0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21cebdb4e2ac82516005d2eff5abaaae09b9b3266d4fa51957513bf187d5ba5a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7911BA32B1EE4D0FEBE9C12CA0A52B967C1EBC926131501BBD48DC32A6DC15AC438345
                                                                                                                                                                                                                                                                    Function 00007FFD9B279A58 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: cc09af3dfddc6f5a14bd854062c700b6955e26ef6213858a860a0dbfede0261c
                                                                                                                                                                                                                                                                    • Instruction ID: 29f8ce0b847871dfc7a85f1c08fbf010642e916d0ba5c058aa8042e930f649e1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc09af3dfddc6f5a14bd854062c700b6955e26ef6213858a860a0dbfede0261c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2021373060E65A4FDB65DB68C0D58A67B90DF56310B1542FAD04DCF1ABDD28AD82C781
                                                                                                                                                                                                                                                                    Function 00007FFD9B2689A5 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b87db724bae6aea842f9d258d06fd9f48d6d558d0ab6395663f622cc4c145462
                                                                                                                                                                                                                                                                    • Instruction ID: 2d56bfee7a7949feef50af02dd138569ff3d20fd7d00c9ef9eebbc8b106bd458
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b87db724bae6aea842f9d258d06fd9f48d6d558d0ab6395663f622cc4c145462
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0210830D0A64ECFEB749A5490506E8B7F0EF46314F15027BD45CDB2A1DB395E86C750
                                                                                                                                                                                                                                                                    Function 00007FFD9B26425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                                                    • Instruction ID: 8b147d85c8470f043dd1ca0d14ee494b6eb1feee1c106ea85ebf34280d3ce781
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4214D3188E3C99FD3224BB068226E57F78DF03255F1B01EBD098DB4A3C56D569AC762
                                                                                                                                                                                                                                                                    Function 00007FFD9B265220 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a4b1b86c0f5f7acc8d4ef1f287f63c4a4c698e47e908fa77c3e4726ecbc081e2
                                                                                                                                                                                                                                                                    • Instruction ID: 9a7ca141dfc807adb5e846e0a051e8a655151b5022e0a470cd6045694d3172de
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4b1b86c0f5f7acc8d4ef1f287f63c4a4c698e47e908fa77c3e4726ecbc081e2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43214F30E08A5D8FEB94EF98D855AEDBBF0FF59300F00006AE419E3295CB75A8418B91
                                                                                                                                                                                                                                                                    Function 00007FFD9B2760E1 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 69e94bb6d494095b8d8c6eb8ee046ff7deefe08d4ee33e0b9ec1bfd5553f0a4c
                                                                                                                                                                                                                                                                    • Instruction ID: 3fb7c3ce39836e6b417d7e917eb98749adaf35a1b56744830c8214f6d8e828aa
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69e94bb6d494095b8d8c6eb8ee046ff7deefe08d4ee33e0b9ec1bfd5553f0a4c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9211E322B1FE8A4FE7A685AD2CFD1643AC1EF9960070A00FBE448C33B7EC01AD018345
                                                                                                                                                                                                                                                                    Function 00007FFD9B26ADF8 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bdcc8d14fb22de6fc9932936ed0378702298384a68dd8c83032afbd9a063dff6
                                                                                                                                                                                                                                                                    • Instruction ID: 7f2aeeb9de2fb33d0b80216d289d871dbfe09ea354128ab65f5be66695ab12e3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bdcc8d14fb22de6fc9932936ed0378702298384a68dd8c83032afbd9a063dff6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A511E711B1AE4E8FD7A9DB2C84A05E573D1FF9621074515BBC45DC7296DD18E9428340
                                                                                                                                                                                                                                                                    Function 00007FFD9B275E30 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0e459b28df16e3c6c1322c3b551d2909fef3a6219b731e67bb160266df047d4c
                                                                                                                                                                                                                                                                    • Instruction ID: 6b423bbb43514a41bd551ab84d598f55af19b76913277096fb8c65cae671e036
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e459b28df16e3c6c1322c3b551d2909fef3a6219b731e67bb160266df047d4c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F6110436B1ED0E0FEBE8E11C64A5679A3C2EBD8265715017FD41EC32A9ED25EC434344
                                                                                                                                                                                                                                                                    Function 00007FFD9B26D375 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 973591869357e71a437cae2d3bc6fca954285c912da7f3d582b6cf8cdcdba2ee
                                                                                                                                                                                                                                                                    • Instruction ID: 89d25e457a87066b89856746bdda35092e32ff4c04186491ab5a249903728e95
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 973591869357e71a437cae2d3bc6fca954285c912da7f3d582b6cf8cdcdba2ee
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2921381261EBCD8ED325A77958247A56BA1FF91304F0604FFD0CDC71A7ED64BA548302
                                                                                                                                                                                                                                                                    Function 00007FFD9B276100 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c1766af953e7185dadcf805ea88f9336450403159751a4c322435016c55c8564
                                                                                                                                                                                                                                                                    • Instruction ID: b58a7d9d3fcf2ed28b440dd331581e28e629d66f90e96219a7c149250542a3b6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1766af953e7185dadcf805ea88f9336450403159751a4c322435016c55c8564
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA11E532B1FD4E4FE6E5949D3CED1753AC1DB9965170601BBE40CC3376DC42AD418245
                                                                                                                                                                                                                                                                    Function 00007FFD9B27E5D3 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0933e34d27287d96bb1ce31d2663a39759edf66213f724e38f05068ae621505f
                                                                                                                                                                                                                                                                    • Instruction ID: 9ca1b081263dce059ed3b26e6418b7cd93bd54b7f510339a063cc9bde4f52c37
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0933e34d27287d96bb1ce31d2663a39759edf66213f724e38f05068ae621505f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB11C86170DA9C0FD7A1EA9C88E96753BE1DF9A21170640F7D88CCF2A7DC14AD05C361
                                                                                                                                                                                                                                                                    Function 00007FFD9B27532A Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e77353588e45fdff2a968e5200de61d50f539e9c4167580504f5303f0105cddc
                                                                                                                                                                                                                                                                    • Instruction ID: 7a1752a83933a93ccfaed6ec25cd60aea6ca6080d31d6d4e7953781fd97f10d9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e77353588e45fdff2a968e5200de61d50f539e9c4167580504f5303f0105cddc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3118E62B0EE1E4FEAA8D54C64A4275A3D1EBE8390314457ED04EC71B5ED11BD0A8744
                                                                                                                                                                                                                                                                    Function 00007FFD9B2738CC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bab09458ec4a1a7319d5c116a58e8767d21c0c5842b4490bf968b07d10035807
                                                                                                                                                                                                                                                                    • Instruction ID: 645cf14ad57023c69ddb008ca0a29a376e6155a18dbb74f25577159ab68bd2f0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bab09458ec4a1a7319d5c116a58e8767d21c0c5842b4490bf968b07d10035807
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D118021B4AC1D8FEAB4DA4C90E5BB463D1FF99360B2505BAE04EC73A5D918FE428744
                                                                                                                                                                                                                                                                    Function 00007FFD9B2BEDE0 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 127e3e4db1d672ba57b45bf760e94c1cb260d997edce931c6f28a0ce420d886c
                                                                                                                                                                                                                                                                    • Instruction ID: 7f059666850b7b85ccf268a720d5f8d314cd4dcdf4903c87d0add6cafd9aa47c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 127e3e4db1d672ba57b45bf760e94c1cb260d997edce931c6f28a0ce420d886c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF118F3170582D8FD5B4FA9C84A8A3A33D1EF9D310F56057AE04EC76A2DE15AD41C785
                                                                                                                                                                                                                                                                    Function 00007FFD9B26D965 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 176ad71ce5957b027dd101a0b134a0c97422789c02c3bf05aae61bd27dfe4d6a
                                                                                                                                                                                                                                                                    • Instruction ID: 7fa80674afa6cbe82813757ffbcac69737bd183f611ab782043c69110103b527
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 176ad71ce5957b027dd101a0b134a0c97422789c02c3bf05aae61bd27dfe4d6a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71113A7150F7C89FD3069B6888649517FF0EF6720170A41EBD088CB1B3CA29998AC722
                                                                                                                                                                                                                                                                    Function 00007FFD9B27AEC5 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 108f2cb97b9d46fe3670a8f64680cb33e597b369a0a6e7c37c0d3be41e7dc787
                                                                                                                                                                                                                                                                    • Instruction ID: 76ade94148f67b929d802786e75ed15befa86df32ca85bb7298ae229077fef8e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 108f2cb97b9d46fe3670a8f64680cb33e597b369a0a6e7c37c0d3be41e7dc787
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B201B562D0FA9D8FE7265B6888A11F87BB0FF03310F0604B6C45DC70B2D92A2A458787
                                                                                                                                                                                                                                                                    Function 00007FFD9B2740B8 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ced8530da8f328e70516febf8b953bf0b038c6fd37f1e1cea5a799de2f56b4f8
                                                                                                                                                                                                                                                                    • Instruction ID: d60ff70f8e3e99d463fb5beac9ff2d3e7cc3670e190ff86c85ec5f53fdc9fe80
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ced8530da8f328e70516febf8b953bf0b038c6fd37f1e1cea5a799de2f56b4f8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E01F743F1F99A0FE365A6EC28FA5F82B80DF6522070A01BBD45DC71A7DC086E458345
                                                                                                                                                                                                                                                                    Function 00007FFD9B26A670 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2075e473f82a49afa96b1fb25e511e273eb9a6683611cfd4939188516ee6dc49
                                                                                                                                                                                                                                                                    • Instruction ID: 782649ff32094fdb6d2eafbceb6ae7c4bdbecf015bd386085f04b79a9758902d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2075e473f82a49afa96b1fb25e511e273eb9a6683611cfd4939188516ee6dc49
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2C016D31B0990D4FEAA4EA9CA85577673D5EB99360F41027BE54CC32A6ED15E8018381
                                                                                                                                                                                                                                                                    Function 00007FFD9B2652FD Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8809ca90b2a87a0a419954b9a07994aa7f14fbe41cf402c02d0c8add5fb92ffd
                                                                                                                                                                                                                                                                    • Instruction ID: 950dc4352a64f31893f32cf8391a5ba6b36d511da16fc72dd3db29d2c3effb4a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8809ca90b2a87a0a419954b9a07994aa7f14fbe41cf402c02d0c8add5fb92ffd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF01D63585F2CE9FE3266AB058A60E57FA0EF46714F0601A7E058C60A3D95E175AC352
                                                                                                                                                                                                                                                                    Function 00007FFD9B27C785 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9f36121a71ecb613c79f4637c233f2a039b22e93923cbdb10b454f497cd48f2c
                                                                                                                                                                                                                                                                    • Instruction ID: 0d00a71024dc57a6fc999be47563371a43f8c85ef572ce60c686a84b27d218a8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f36121a71ecb613c79f4637c233f2a039b22e93923cbdb10b454f497cd48f2c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3001A231B1DA480FE398DA68D4B97B5B7D1EF58311B5900FAD408CB2E6DE1AAC418341
                                                                                                                                                                                                                                                                    Function 00007FFD9B2779C1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 26017f90730966e7f60ba232955c88e2b7dddfeeb3ae4bb514574dc2f07d2f7a
                                                                                                                                                                                                                                                                    • Instruction ID: 4389d81cbba96c4514ae419d76b20ebd2362cce54d607da54932ea15511d0d9b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 26017f90730966e7f60ba232955c88e2b7dddfeeb3ae4bb514574dc2f07d2f7a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C9F0E92271E98C0FF3A4956CAC5D9B23FD4DB6A23231602FFE848C7173E902AC028355
                                                                                                                                                                                                                                                                    Function 00007FFD9B270DB9 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: be46d3475c7e3ee13a3d462cf43a1c55b17b770abe4dbfd0542a35b5fb5c1c29
                                                                                                                                                                                                                                                                    • Instruction ID: f28e09e3d4207e8bd243c24f313e6a7df5ad27ef6872af802f32ddbe1c8c1686
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: be46d3475c7e3ee13a3d462cf43a1c55b17b770abe4dbfd0542a35b5fb5c1c29
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9801F73120EBC94FD756922898706A27FE0EF96214F0901EBD484CB2A3C91A9906C392
                                                                                                                                                                                                                                                                    Function 00007FFD9B272D68 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e8f70fdcff41b3bdc81d2384057ed6dd34c232acbd0133fb5f95e6595c35a45b
                                                                                                                                                                                                                                                                    • Instruction ID: ceaa042a582f71c0caec72a02830826c92c238589224772abc2b4ec2d6f70ef2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8f70fdcff41b3bdc81d2384057ed6dd34c232acbd0133fb5f95e6595c35a45b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE019230A09B488FD7A4EB289458A6A7BE1EFD8310F04057FE88DD7275DB38AA41C741
                                                                                                                                                                                                                                                                    Function 00007FFD9B26AE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d12ab25b4f9f41f613483a2bfaad7aeef355812a7ba44a615f3447bb9dadfe7f
                                                                                                                                                                                                                                                                    • Instruction ID: 8f4020b1ec382ce5d08f69cbb95793a6f857735743ebde52dac0e90220654ce8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d12ab25b4f9f41f613483a2bfaad7aeef355812a7ba44a615f3447bb9dadfe7f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F01A921B29E4F8FDBA8EB1C84A09B673D1FF99300755557AD44DC31DADD29E9428380
                                                                                                                                                                                                                                                                    Function 00007FFD9B268A22 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                                                    • Instruction ID: d0d80387e84ffb245f42521b159270c712a911f194453ce7e0f137ea056c2905
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23F0F035E4960E8FDB30AE94E0002F9F7B4EB82314F01213BC50CE7150D77A9A95CB48
                                                                                                                                                                                                                                                                    Function 00007FFD9B264228 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                                                    • Instruction ID: c949564e69cb8a7b56f26ca55845d029e587f0a34c2a4819ebb1dcd03a647fb3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65F0F035E4950D8FEB20AE95E4403F9F7B4EB82354F11203BC01CA3150D77A9A95CB48
                                                                                                                                                                                                                                                                    Function 00007FFD9B26BF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b65909587477754224a07ce898d34105fdc2ad39fd97ed8dfa9f91b7d750beaf
                                                                                                                                                                                                                                                                    • Instruction ID: d043efc79281fb2748b974e92005d216330b2795ee6528d683d7fbf4f2a71714
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b65909587477754224a07ce898d34105fdc2ad39fd97ed8dfa9f91b7d750beaf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9801D631B29D0F8FDBA8EB188065DB6B3E1FFA430074445BAD41DC329DDD28E9418741
                                                                                                                                                                                                                                                                    Function 00007FFD9B264DC8 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 64a73671156bef6bce7f9de94d3d8742a75b23b41c83539b995df6e5e24eaa65
                                                                                                                                                                                                                                                                    • Instruction ID: 2ca32467223f686ba9ae0b822ff4582bb6d2248cee0c4c85b4bcea05212d00ed
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 64a73671156bef6bce7f9de94d3d8742a75b23b41c83539b995df6e5e24eaa65
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3011231E0550D8FEBA4DB58D8A0BAC77B1EF54300F5041BAD45DD3295CE355D82CB01
                                                                                                                                                                                                                                                                    Function 00007FFD9B27D19D Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 29c3d9b85389eeb7df7233259b211e92f72283c8b442a4c325d7f47effee2b6b
                                                                                                                                                                                                                                                                    • Instruction ID: d64f2a8bcbb32e2e0873e93bcb9bd1d1983e369fd3d3f595bcf23862f2151304
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 29c3d9b85389eeb7df7233259b211e92f72283c8b442a4c325d7f47effee2b6b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3201A454A5F7CA5ED76367B81CB05A22FA5CE8722470E01F7E4C8CB0A7D80C5956C3AA
                                                                                                                                                                                                                                                                    Function 00007FFD9B264B89 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0701c8eb2a06887ae742a5129f2f7f4536254bae5900c704edc6833eb8256971
                                                                                                                                                                                                                                                                    • Instruction ID: 1d2261a56f20e58a6fef126ad65a26874f8c4ff8f9922029278e115221419df3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0701c8eb2a06887ae742a5129f2f7f4536254bae5900c704edc6833eb8256971
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9301A22091D68D9FE755EB6898646E97FB0EF09200F4601F7D459CA0A2DA291A49C711
                                                                                                                                                                                                                                                                    Function 00007FFD9B26AF99 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6c2e76441cfe1a275862e24107f00205df887fbfe842475e9f820a5072cf567e
                                                                                                                                                                                                                                                                    • Instruction ID: 43bc2c72a13b37fc93f5bc8d1d5f0c9c8d90bc2ff7e36d7c61d2dd46a1b410fb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c2e76441cfe1a275862e24107f00205df887fbfe842475e9f820a5072cf567e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF01AF30918B8E8FDB45EF6488645FA7BF0FF19200B4404BBD85CC71A2DA385914C751
                                                                                                                                                                                                                                                                    Function 00007FFD9B2625AB Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7dccc75577bc8d28f6976f6350dfe1d2bb0e31d3cc75f0e180e772ffbde5c338
                                                                                                                                                                                                                                                                    • Instruction ID: 19cf5e18892b045d6090ca2f244626165ed874de7b2f45d6a4e176937cb5e108
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7dccc75577bc8d28f6976f6350dfe1d2bb0e31d3cc75f0e180e772ffbde5c338
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69011A71B0851DCEEBA4DB589898BE9B7A1EB98300F0001E6900CE2151CE346A81CF41
                                                                                                                                                                                                                                                                    Function 00007FFD9B284A63 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 93f46498e4929ff9474cdda04d0dabb9c3df7c8cafec3a1f21cb12caceee3bd6
                                                                                                                                                                                                                                                                    • Instruction ID: f7bddc1dd371629745a46b1dc6592db1eb737e62e376e640f4856d9c76024e50
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 93f46498e4929ff9474cdda04d0dabb9c3df7c8cafec3a1f21cb12caceee3bd6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3BF0FE71A2CB088B9F54AE4CBC434AD77D1FB89B20F10116FF94943255D631B9628AC7
                                                                                                                                                                                                                                                                    Function 00007FFD9B269E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 679d1e55e5bc276065f0dc4d888161ba3c5b5928efae3a1f2ece81bf6ecc832b
                                                                                                                                                                                                                                                                    • Instruction ID: 33866aebaa07fc8cf516d89834ad91368b091ebd20d7316caafed85e0e245857
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 679d1e55e5bc276065f0dc4d888161ba3c5b5928efae3a1f2ece81bf6ecc832b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 74F08212F1FE9E4FD366A26C28B91A81BC1DB9912074A02F7D448C72B7EC0D59434382
                                                                                                                                                                                                                                                                    Function 00007FFD9B270F12 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3ed68620a2e1133d49fe67808d1630f6acef4303569ab31d64fe1afecad773b7
                                                                                                                                                                                                                                                                    • Instruction ID: 9523ff4159c352713cbd824ab5c5ab4a87a7f2e1f45d067217c7d7f2b2564844
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ed68620a2e1133d49fe67808d1630f6acef4303569ab31d64fe1afecad773b7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1AF0282160FACE1FD766977C84A49A17BE0EF45710B4901FBC488CB2A3DD18B9998392
                                                                                                                                                                                                                                                                    Function 00007FFD9B264B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 045855d4dff4f08319ce71e963be46356de86c81121df0c35e96ee7b9bc98001
                                                                                                                                                                                                                                                                    • Instruction ID: 6075e4c8ca33bbf306be622a754f5f889fea7f93dc25f95eb2505927f0d34328
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 045855d4dff4f08319ce71e963be46356de86c81121df0c35e96ee7b9bc98001
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9901D63090A68DCFDB54EF54C8612EA7BA1FF55300F4205BAE41CC7296CA79E950C780
                                                                                                                                                                                                                                                                    Function 00007FFD9B263E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                                                                                                                                                                                    • Instruction ID: c99bdbc8bc203ae5b8ef0614f1018beccd0104cb88e1c4da355d61781a7e6379
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29F08C30D0560C8FD7209EA9A0003F9F7B4EF4A305F41207AD00CA2190C37A9696CB14
                                                                                                                                                                                                                                                                    Function 00007FFD9B2732E8 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6b296117241f4cc455ba10151624fcfb778136426c71024196a8bad9084a692c
                                                                                                                                                                                                                                                                    • Instruction ID: d9729aa910e4b43f922cd850f714021f2f14d70ff68160202316f7afbb29e0fd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b296117241f4cc455ba10151624fcfb778136426c71024196a8bad9084a692c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34F02732B1AD1E4BD6B4FA5C64A4ABA33D1EB95310F010136E80EC3299DD2979828385
                                                                                                                                                                                                                                                                    Function 00007FFD9B265038 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: aeb35f37c3a69e9cec57d8fb1b1c3bf6d060a81500b993dcbb88522b11130ddc
                                                                                                                                                                                                                                                                    • Instruction ID: 3d6db2ef77d58cbc731af6f4e5b59be4c79ad205f5b06e976d88f989e7ec19c2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aeb35f37c3a69e9cec57d8fb1b1c3bf6d060a81500b993dcbb88522b11130ddc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18F01D31F0592D8FEBA4EE589860BE9B3B1EB49210F4041B6E05DD3195CE35A9418B41
                                                                                                                                                                                                                                                                    Function 00007FFD9B274F35 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 574fb1fff7bb69c0f61908275964997bbe1eaa9e76f102463210121c5062c41f
                                                                                                                                                                                                                                                                    • Instruction ID: 6297f68158fc5c08e926ff3ec9e1cc278da665d460a206a60fbeecf24baca93e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 574fb1fff7bb69c0f61908275964997bbe1eaa9e76f102463210121c5062c41f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F8F0E931A1AA4E4FD365DB5C84956A477D0FF04310B5601BAD448CB2A2DE28F9918785
                                                                                                                                                                                                                                                                    Function 00007FFD9B284A9D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e286c43c69dc1c0e45b049dd5d4d045558aa09e931020dbcd30c9c029f00b778
                                                                                                                                                                                                                                                                    • Instruction ID: d9abb327a0618f6c350ea032cb5b98a5981120ec85eb249ea58958615de93462
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e286c43c69dc1c0e45b049dd5d4d045558aa09e931020dbcd30c9c029f00b778
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 07E06D72B2CB088B9B189E4CB8430FD77D1EBC8631F00022FF54A93651DA32B41246CB
                                                                                                                                                                                                                                                                    Function 00007FFD9B278FC4 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ce0ceac4ed1fcd2b9ba8640beb3094edf2e5912b87f7b9b90fc981b2809e7db5
                                                                                                                                                                                                                                                                    • Instruction ID: 53d3f485ef39014cd7007072e891b23257e11206b57c59222c376d71a7de6d3e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce0ceac4ed1fcd2b9ba8640beb3094edf2e5912b87f7b9b90fc981b2809e7db5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 08F0BE2670E94D4FDBA0CA8CE4E8B61B3E2FF98320F4902A4D04CCB265C635BC018781
                                                                                                                                                                                                                                                                    Function 00007FFD9B262EAC Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: eda5133cd0aa822bfe7ceba03ba84101d64d61d3222397ccaa0f21029f60fdff
                                                                                                                                                                                                                                                                    • Instruction ID: 094f4e5b7e015d91425c4a50b836dba7ea3be06427a383742532148b7270b429
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eda5133cd0aa822bfe7ceba03ba84101d64d61d3222397ccaa0f21029f60fdff
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1F0FE30A1494ECFDB88EF54C8A5AFAB3A1FF59300F4145B6E81DD31A6DE35AA518B40
                                                                                                                                                                                                                                                                    Function 00007FFD9B26BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c3b9d1eec5f60a8290f1fdddc8ef12b1772bb2e93726e6950f331effface58c9
                                                                                                                                                                                                                                                                    • Instruction ID: b2bbe25dcb1905c8da07c006ce0745a57157330d4873696211beb7109be6add6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3b9d1eec5f60a8290f1fdddc8ef12b1772bb2e93726e6950f331effface58c9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52F05B75F1550DDFD758E7988895DAC77B1FF9C740F410175E449D32A2DE296901C700
                                                                                                                                                                                                                                                                    Function 00007FFD9B27EAAD Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 426ec5de9aceea6b2a2d676e501b2c36062dcf6dc131d5ebb9e7c3051c215069
                                                                                                                                                                                                                                                                    • Instruction ID: 7570e3c4414389e7cd53084fc5434e1fc5fa206db3e876754cd86674982481c0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 426ec5de9aceea6b2a2d676e501b2c36062dcf6dc131d5ebb9e7c3051c215069
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4DE0920170E6CA8EDB276B7454F05F57BA1DF57200B5A14F6C4C98A09BCD082582C352
                                                                                                                                                                                                                                                                    Function 00007FFD9B283BB9 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8c700a9ce90d84ab34d6fcd11e90c13c8f3462a7889c9b716c043e91c44dffe9
                                                                                                                                                                                                                                                                    • Instruction ID: 2e96acf0fb7476bea6885ef56a77c03672947911e7c9610cd8eae73ceb008ff4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c700a9ce90d84ab34d6fcd11e90c13c8f3462a7889c9b716c043e91c44dffe9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D6E048317199094BE72CAA54D4A06F83392EB95320F25463BD406C71E5DD7DAA418384
                                                                                                                                                                                                                                                                    Function 00007FFD9B283918 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2f29cd20c2e3e672296a151022a068c019da24a52b49100f5c61f59f42062c9f
                                                                                                                                                                                                                                                                    • Instruction ID: 79c1eba31f6b897090b34c76c377d4f261161910b536dce440b3c09777433f1f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f29cd20c2e3e672296a151022a068c019da24a52b49100f5c61f59f42062c9f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A1E0EC303089198FDBA4DF1CE494F6973E1FF48351B5505AAF44ACB275D628DD819B81
                                                                                                                                                                                                                                                                    Function 00007FFD9B2839AB Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 1d6026155ff842a96b3bd8194251a23930f81c307d4ab7cdfe691dfa2b99c2ae
                                                                                                                                                                                                                                                                    • Instruction ID: e5d57c4f94799be7b991fe48761a067dc295e2a70a3e71fb01d1bbef070545be
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d6026155ff842a96b3bd8194251a23930f81c307d4ab7cdfe691dfa2b99c2ae
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FE0B6303089198FD7B4DF1CE494BA973E1FF48351B5544AAA48ACB275DA28DDC19B81
                                                                                                                                                                                                                                                                    Function 00007FFD9B268075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ba29789dec72cc5fc5c5fa9793a066a380a967ba79f963b1bc07ed4409e07fe4
                                                                                                                                                                                                                                                                    • Instruction ID: 262d85a883ccb21f83048cd18e5dc65d483a6268e3ed01f6ec562f4de7f3857c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ba29789dec72cc5fc5c5fa9793a066a380a967ba79f963b1bc07ed4409e07fe4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57E0E531E0451D8EEB54EF68D891BECB7B1FF44205F8000FAE41CE3296CA3569818B00
                                                                                                                                                                                                                                                                    Function 00007FFD9B27EE30 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 05cf38d24c18b540f38753d9fdb6392d95a8a1c3ee74a7bdcfd75d96511cd43c
                                                                                                                                                                                                                                                                    • Instruction ID: 51d540463da47a66adcbba8d909d8a01e0262566c29d79385c379471b28cb028
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 05cf38d24c18b540f38753d9fdb6392d95a8a1c3ee74a7bdcfd75d96511cd43c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F4E01220656ACA4FFB59B2AC49D15903AF0DF0E250F8D00A1E859CB2A3E24E99978716
                                                                                                                                                                                                                                                                    Function 00007FFD9B2838ED Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 841859f3edeb3782946761e5f1df57c0ade66b463b870adef3566569402e4b2f
                                                                                                                                                                                                                                                                    • Instruction ID: e4f4053065837ddef8b0167d054ad5f701489ad64dc9479199ff7bc19c6a9778
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 841859f3edeb3782946761e5f1df57c0ade66b463b870adef3566569402e4b2f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76D05E2171AC2D4FE9B0EA6CA4A977C27D0EF88711B5104B6E04DC72A2CA2DE9818785
                                                                                                                                                                                                                                                                    Function 00007FFD9B281B61 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000D.00000002.2403327813.00007FFD9B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B260000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_13_2_7ffd9b260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5ce0b42755a09f1b5f90f46963c1e83b6bec16e9bdcea8c2540a945e3111cab2
                                                                                                                                                                                                                                                                    • Instruction ID: ee2e8f437042e6ec67ee0a7e0f84e235efb49b9b723e664d65034419e52c743e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ce0b42755a09f1b5f90f46963c1e83b6bec16e9bdcea8c2540a945e3111cab2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92D02262F0BA8D0FDB60EBFC00781206BC2EF88200F0505669808C20B7ED20E9018200